Changeset 988 for vendor/current/selftest

Timestamp:

Nov 24, 2016, 1:14:11 PM (9 years ago)

Author:

Silvan Scherrer

Message:

Samba Server: update vendor to version 4.4.3

Location:

vendor/current/selftest

Files:

• README (modified) (4 diffs)
• Subunit (deleted)
• __init__.py (added)
• client.py (added)
• devel_env.sh (added)
• filter-subunit (modified) (1 diff)
• flapping (added)
• format-subunit (modified) (3 diffs)
• gdb_backtrace (modified) (2 diffs)
• in_screen (modified) (1 diff)
• knownfail (added)
• manage-ca (added)
• manage-ca/CA-samba.example.com (added)
• manage-ca/CA-samba.example.com/DCs (added)
• manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com (added)
• manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-cert.pem (added)
• manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-key.pem (added)
• manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-openssl.cnf (added)
• manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-private-key.pem (added)
• manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-S02-req.pem (added)
• manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-cert.pem (added)
• manage-ca/CA-samba.example.com/DCs/addc.addom.samba.example.com/DC-addc.addom.samba.example.com-private-key.pem (added)
• manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com (added)
• manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-cert.pem (added)
• manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-key.pem (added)
• manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-openssl.cnf (added)
• manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-private-key.pem (added)
• manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-S00-req.pem (added)
• manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-cert.pem (added)
• manage-ca/CA-samba.example.com/DCs/localdc.samba.example.com/DC-localdc.samba.example.com-private-key.pem (added)
• manage-ca/CA-samba.example.com/NewCerts (added)
• manage-ca/CA-samba.example.com/NewCerts/00.pem (added)
• manage-ca/CA-samba.example.com/NewCerts/01.pem (added)
• manage-ca/CA-samba.example.com/NewCerts/02.pem (added)
• manage-ca/CA-samba.example.com/NewCerts/03.pem (added)
• manage-ca/CA-samba.example.com/Private (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-crlnumber.txt.old (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.attr.old (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-index.txt.old (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-openssl.cnf (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-private-key.pem (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt (added)
• manage-ca/CA-samba.example.com/Private/CA-samba.example.com-serial.txt.old (added)
• manage-ca/CA-samba.example.com/Public (added)
• manage-ca/CA-samba.example.com/Public/CA-samba.example.com-cert.pem (added)
• manage-ca/CA-samba.example.com/Public/CA-samba.example.com-crl.pem (added)
• manage-ca/CA-samba.example.com/Users (added)
• manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com (added)
• manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-cert.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-key.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-openssl.cnf (added)
• manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-private-key.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-S03-req.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-cert.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@addom.samba.example.com/USER-administrator@addom.samba.example.com-private-key.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@samba.example.com (added)
• manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-cert.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-key.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-openssl.cnf (added)
• manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-private-key.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-S01-req.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-cert.pem (added)
• manage-ca/CA-samba.example.com/Users/administrator@samba.example.com/USER-administrator@samba.example.com-private-key.pem (added)
• manage-ca/manage-CA-samba.example.com.cnf (added)
• manage-ca/manage-CA-samba.example.com.sh (added)
• manage-ca/manage-ca.sh (added)
• manage-ca/manage-ca.templates.d (added)
• manage-ca/manage-ca.templates.d/manage-CA-example.com.cnf (added)
• manage-ca/manage-ca.templates.d/openssl-BASE-template.cnf (added)
• manage-ca/manage-ca.templates.d/openssl-CA-template.cnf (added)
• manage-ca/manage-ca.templates.d/openssl-DC-template.cnf (added)
• manage-ca/manage-ca.templates.d/openssl-USER-template.cnf (added)
• output (deleted)
• quick (added)
• run.py (added)
• selftest.pl (modified) (38 diffs)
• selftest.pl.1 (added)
• selftest.py (added)
• selftesthelpers.py (modified) (7 diffs)
• skip (added)
• slow (added)
• socket_wrapper.py (added)
• subunithelper.py (modified) (18 diffs)
• tap2subunit (added)
• target/Kvm.pm (deleted)
• target/Samba.pm (added)
• target/Samba3.pm (modified) (34 diffs)
• target/Samba4.pm (modified) (50 diffs)
• target/Template.pm (deleted)
• target/Windows.pm (deleted)
• target/__init__.py (added)
• target/samba.py (added)
• test_samba4.pl (deleted)
• testlist.py (added)
• tests (added)
• tests.py (added)
• tests/__init__.py (added)
• tests/test_run.py (added)
• tests/test_samba.py (added)
• tests/test_socket_wrapper.py (added)
• tests/test_target.py (added)
• tests/test_testlist.py (added)
• valgrind_run (modified) (1 diff)
• wscript (added)

vendor/current/selftest/README

@@ -2 +2 @@
 
 This directory contains test scripts that are useful for running a
-bunch of tests all at once. 
+bunch of tests all at once.
 
-There are two parts to this: 
+There are two parts to this:
 
  * The test runner (selftest/selftest.pl)
  * The test formatter
 
-selftest.pl simply outputs subunit, which can then be formatted or analyzed 
-by tools that understand the subunit protocol. One of these tools is 
+selftest.pl simply outputs subunit, which can then be formatted or analyzed
+by tools that understand the subunit protocol. One of these tools is
 format-subunit, which is used by default as part of "make test".
 
 Available testsuites
 ====================
-The available testsuites are obtained from a script, usually 
-source{3,4}/selftest/tests.sh. This script should for each testsuite output 
-the name of the test, the command to run and the environment that should be 
+The available testsuites are obtained from a script, usually
+source{3,4}/selftest/tests.py. This script should for each testsuite output
+the name of the test, the command to run and the environment that should be
 provided. Use the included "plantest" function to generate the required output.
 
@@ -25 +25 @@
 Exit code
 ------------
-The testsuites should exit with a non-zero exit code if at least one 
+The testsuites should exit with a non-zero exit code if at least one
 test failed. Skipped tests should not influence the exit code.
 
 Output format
 -------------
-Testsuites can simply use the exit code to indicate whether all of their 
-tests have succeeded or one or more have failed. It is also possible to 
-provide more granular information using the Subunit protocol. 
+Testsuites can simply use the exit code to indicate whether all of their
+tests have succeeded or one or more have failed. It is also possible to
+provide more granular information using the Subunit protocol.
 
-This protocol works by writing simple messages to standard output. Any 
-messages that can not be interpreted by this protocol are considered comments 
+This protocol works by writing simple messages to standard output. Any
+messages that can not be interpreted by this protocol are considered comments
 for the last announced test.
 
-For a full description of the subunit protocol, see ../lib/subunit/README.
+For a full description of the subunit protocol, see the README file in the subunit
+repository at http://github.com/testing-cabal/subunit.
 
 The following commands are Samba extensions to Subunit:
-
-testsuite-count
-~~~~~~~~~~~~~~~
-testsuite-count: number
-
-Announce the number of tests that is going to be run.
 
 start-testsuite
@@ -74 +69 @@
 Environments
 ============
-Tests often need to run against a server with particular things set up, 
-a "environment". This environment is provided by the test "target": Samba 3, 
+Tests often need to run against a server with particular things set up,
+a "environment". This environment is provided by the test "target": Samba 3,
 Samba 4 or Windows.
 
-The following environments are currently available:
+The environments are currently available include
 
  - none: No server set up, no variables set.
- - dc: Domain controller set up. The following environment variables will 
+ - dc,s3dc: Domain controller set up. The following environment variables will
    be set:
 
      * USERNAME: Administrator user name
-         * PASSWORD: Administrator password
-         * DOMAIN: Domain name
-         * REALM: Realm name
-         * SERVER: DC host name 
-         * SERVER_IP: DC IPv4 address
-         * NETBIOSNAME: DC NetBIOS name
-         * NETIOSALIAS: DC NetBIOS alias
+     * PASSWORD: Administrator password
+     * DOMAIN: Domain name
+     * REALM: Realm name
+     * SERVER: DC host name
+     * SERVER_IP: DC IPv4 address
+     * SERVER_IPV6: DC IPv6 address
+     * NETBIOSNAME: DC NetBIOS name
+     * NETIOSALIAS: DC NetBIOS alias
 
- - member: Domain controller and member server that is joined to it set up. The
+ - member,s4member,s3member: Domain controller and member server that is joined to it set up. The
    following environment variables will be set:
 
      * USERNAME: Domain administrator user name
-         * PASSWORD: Domain administrator password
-         * DOMAIN: Domain name
-         * REALM: Realm name
-         * SERVER: Name of the member server
+     * PASSWORD: Domain administrator password
+     * DOMAIN: Domain name
+     * REALM: Realm name
+     * SERVER: Name of the member server
 
+See Samba.pm, Samba3.pm and Samba4.pm for the full list.
 
 Running tests
@@ -110 +107 @@
    make test
 
-To run a quick subset (aiming for about 1 minute of testing) run::
+To run a quicker subset run::
 
    make quicktest

vendor/current/selftest/filter-subunit

@@ -1 +1 @@
 #!/usr/bin/env python
 # Filter a subunit stream
-# Copyright (C) Jelmer Vernooij <jelmer@samba.org>
-# Published under the GNU GPL, v3 or later
+# Copyright (C) 2009-2011 Jelmer Vernooij <jelmer@samba.org>
+
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+# NOTE: This script is a hack, meant as a placeholder until we can migrate
+# to upstream subunit's filtering tools.
 
 import optparse
-import os
 import sys
 import signal
 
-sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../lib/subunit/python"))
-sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../lib/testtools"))
+sys.path.insert(0, "bin/python")
 
 import subunithelper
 
 parser = optparse.OptionParser("filter-subunit [options] < instream > outstream")
-parser.add_option("--expected-failures", type="string", 
-        help="File containing list of regexes matching tests to consider known "
-             "failures")
-parser.add_option("--strip-passed-output", action="store_true", 
+parser.add_option("--expected-failures", type="string",
+    help="File containing list of regexes matching tests to consider known "
+         "failures")
+parser.add_option("--flapping", type="string",
+    help="File containing list of flapping tests, of which to ignore results.")
+parser.add_option("--strip-passed-output", action="store_true",
     help="Whether to strip output from tests that passed")
-parser.add_option("--fail-immediately", action="store_true", 
+parser.add_option("--fail-immediately", action="store_true",
     help="Whether to stop on the first error", default=False)
 parser.add_option("--prefix", type="string",
-        help="Add prefix to all test names")
+    help="Add prefix to all test names")
+parser.add_option("--suffix", type="string",
+    help="Add suffix to all test names")
 parser.add_option("--fail-on-empty", default=False,
-        action="store_true", help="Fail if there was no subunit output")
+    action="store_true", help="Fail if there was no subunit output")
 parser.add_option("--list", default=False,
-        action="store_true", help="Operate in list mode")
+    action="store_true", help="Operate in list mode")
 opts, args = parser.parse_args()
 
 if opts.list:
-        prefix = opts.prefix
-        if not prefix:
-                prefix = ""
-        for l in sys.stdin:
-                sys.stdout.write("%s%s\n" % (prefix, l.rstrip()))
-        sys.exit(0)
+    prefix = opts.prefix
+    suffix = opts.suffix
+    if not prefix:
+        prefix = ""
+    if not suffix:
+        suffix = ""
+    for l in sys.stdin:
+         sys.stdout.write("%s%s%s\n" % (prefix, l.rstrip(), suffix))
+    sys.exit(0)
 
 if opts.expected_failures:
-        expected_failures = subunithelper.read_test_regexes(opts.expected_failures)
+    expected_failures = subunithelper.read_test_regexes(opts.expected_failures)
 else:
-        expected_failures = {}
+    expected_failures = {}
+
+
+if opts.flapping:
+    flapping = subunithelper.read_test_regexes(opts.flapping)
+else:
+    flapping = {}
 
 statistics = {
-        'TESTS_UNEXPECTED_OK': 0,
-        'TESTS_EXPECTED_OK': 0,
-        'TESTS_UNEXPECTED_FAIL': 0,
-        'TESTS_EXPECTED_FAIL': 0,
-        'TESTS_ERROR': 0,
-        'TESTS_SKIP': 0,
+    'TESTS_UNEXPECTED_OK': 0,
+    'TESTS_EXPECTED_OK': 0,
+    'TESTS_UNEXPECTED_FAIL': 0,
+    'TESTS_EXPECTED_FAIL': 0,
+    'TESTS_ERROR': 0,
+    'TESTS_SKIP': 0,
 }
 
 def handle_sigint(sig, stack):
-        sys.exit(0)
+    sys.exit(0)
 signal.signal(signal.SIGINT, handle_sigint)
 
 out = subunithelper.SubunitOps(sys.stdout)
-msg_ops = subunithelper.FilterOps(out, opts.prefix, expected_failures,
-                                  opts.strip_passed_output,
-                                  fail_immediately=opts.fail_immediately)
+msg_ops = subunithelper.FilterOps(out, opts.prefix, opts.suffix, expected_failures,
+    opts.strip_passed_output,
+    fail_immediately=opts.fail_immediately,
+    flapping=flapping)
 
 try:
-        ret = subunithelper.parse_results(msg_ops, statistics, sys.stdin)
+    ret = subunithelper.parse_results(msg_ops, statistics, sys.stdin)
 except subunithelper.ImmediateFail:
-        sys.stdout.flush()
-        sys.exit(1)
+    sys.stdout.flush()
+    sys.exit(1)
 
 if opts.fail_on_empty and not msg_ops.seen_output:
-        sys.exit(1)
+    sys.exit(1)
 else:
-        sys.exit(ret)
+    sys.exit(ret)

vendor/current/selftest/format-subunit

@@ -10 +10 @@
 import sys
 
-sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../lib/subunit/python"))
-sys.path.insert(0, os.path.join(os.path.dirname(__file__), "../lib/testtools"))
+sys.path.insert(0, "bin/python")
 
 import subunithelper
@@ -18 +17 @@
 parser.add_option("--verbose", action="store_true",
     help="Be verbose")
-parser.add_option("--immediate", action="store_true", 
+parser.add_option("--immediate", action="store_true",
     help="Show failures immediately, don't wait until test run has finished")
 parser.add_option("--prefix", type="string", default=".",
@@ -26 +25 @@
 
 def handle_sigint(sig, stack):
-        sys.exit(0)
+    sys.exit(0)
+
 signal.signal(signal.SIGINT, handle_sigint)
 

vendor/current/selftest/gdb_backtrace

@@ -59 +59 @@
 }
 
-#
+need_binary="no"
+case "${DB}" in
+# These debuggers need the process binary specified:
+        ladebug)
+        need_binary="yes"
+        ;;
+        gdb66)
+        need_binary="yes"
+        ;;
+        dbx)
+        need_binary="yes"
+        ;;
+esac
+
+test x"${need_binary}" = x"yes" && {
+
 # we first try to use /proc/${PID}/exe or /proc/{$PID}/path for solaris
 # then fallback to the binary from the commandline
@@ -65 +80 @@
 # 'which'
 #
-test -f "/proc/${PID}/exe" && BINARY="/proc/${PID}/exe"
-test -f "/proc/${PID}/path/a.out" && BINARY=`ls -l /proc/${PID}/path/a.out |sed 's/.*-> //'`
-test x"${BINARY}" = x"" && BINARY="/proc/${PID}/exe"
-test -f "${BINARY}" || BINARY=`which ${BINARY}`
-
-test -f "${BINARY}" || {
-        echo "${BASENAME}: ERROR: Cannot find binary '${BINARY}'."
-        exit 1
+        test -f "/proc/${PID}/exe" && BINARY="/proc/${PID}/exe"
+        test -f "/proc/${PID}/path/a.out" && BINARY=`ls -l /proc/${PID}/path/a.out |sed 's/.*-> //'`
+        test x"${BINARY}" = x"" && BINARY="/proc/${PID}/exe"
+        test -f "${BINARY}" || BINARY=`which ${BINARY}`
+        
+        test -f "${BINARY}" || {
+            echo "${BASENAME}: ERROR: Cannot find binary '${BINARY}'."
+            exit 1
+        }
 }
-
-echo "${BASENAME}: Trying to use ${DB_BIN} on ${BINARY} on PID ${PID}"
 
 BATCHFILE_PRE=/tmp/gdb_backtrace_pre.$$

vendor/current/selftest/in_screen

@@ -70 +70 @@
 echo $$ > $basedir/$SERVERNAME.parent.pid
 trap cleanup SIGINT SIGTERM SIGPIPE
-screen -r -X screen -t test:$SERVERNAME bash $basedir/$SERVERNAME.launch
+
+if [[ "$TMUX" ]]; then
+    TMUX_CMD=tmux
+    if [[ $TMUX = *tmate* ]]; then
+        TMUX_CMD=tmate
+    fi
+
+    $TMUX_CMD new-window -n test:$SERVERNAME "bash $basedir/$SERVERNAME.launch"
+else
+    screen -r -X screen -t test:$SERVERNAME bash $basedir/$SERVERNAME.launch
+fi
 echo "$(date) waiting in $$" >> $basedir/$SERVERNAME.log
 read stdin_var

vendor/current/selftest/selftest.pl

@@ -16 +16 @@
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-=pod
-
-=head1 NAME
-
-selftest - Samba test runner
-
-=head1 SYNOPSIS
-
-selftest --help
-
-selftest [--srcdir=DIR] [--builddir=DIR] [--exeext=EXT][--target=samba4|samba3|win|kvm] [--socket-wrapper] [--quick] [--exclude=FILE] [--include=FILE] [--one] [--prefix=prefix] [--testlist=FILE] [TESTS]
-
-=head1 DESCRIPTION
-
-A simple test runner. TESTS is a regular expression with tests to run.
-
-=head1 OPTIONS
-
-=over 4
-
-=item I<--help>
-
-Show list of available options.
-
-=item I<--srcdir=DIR>
-
-Source directory.
-
-=item I<--builddir=DIR>
-
-Build directory.
-
-=item I<--exeext=EXT>
-
-Executable extention
-
-=item I<--prefix=DIR>
-
-Change directory to run tests in. Default is 'st'.
-
-=item I<--target samba4|samba3|win|kvm>
-
-Specify test target against which to run. Default is 'samba4'.
-
-=item I<--quick>
-
-Run only a limited number of tests. Intended to run in about 30 seconds on 
-moderately recent systems.
-                
-=item I<--socket-wrapper>
-
-Use socket wrapper library for communication with server. Only works 
-when the server is running locally.
-
-Will prevent TCP and UDP ports being opened on the local host but 
-(transparently) redirects these calls to use unix domain sockets.
-
-=item I<--exclude>
-
-Specify a file containing a list of tests that should be skipped. Possible 
-candidates are tests that segfault the server, flip or don't end. 
-
-=item I<--include>
-
-Specify a file containing a list of tests that should be run. Same format 
-as the --exclude flag.
-
-Not includes specified means all tests will be run.
-
-=item I<--one>
-
-Abort as soon as one test fails.
-
-=item I<--testlist>
-
-Load a list of tests from the specified location.
-
-=back
-
-=head1 ENVIRONMENT
-
-=over 4
-
-=item I<SMBD_VALGRIND>
-
-=item I<TORTURE_MAXTIME>
-
-=item I<VALGRIND>
-
-=item I<TLS_ENABLED>
-
-=item I<srcdir>
-
-=back
-
-=head1 LICENSE
-
-selftest is licensed under the GNU General Public License L<http://www.gnu.org/licenses/gpl.html>.
-
-=head1 AUTHOR
-
-Jelmer Vernooij
-
-=cut
 
 use strict;
@@ -133 +28 @@
 use Subunit;
 use SocketWrapper;
+use target::Samba;
 
 eval {
@@ -143 +39 @@
 
 my $opt_help = 0;
-my $opt_target = "samba4";
+my $opt_target = "samba";
 my $opt_quick = 0;
 my $opt_socket_wrapper = 0;
 my $opt_socket_wrapper_pcap = undef;
 my $opt_socket_wrapper_keep_pcap = undef;
+my $opt_random_order = 0;
 my $opt_one = 0;
 my @opt_exclude = ();
 my @opt_include = ();
-my $opt_verbose = 0;
-my $opt_image = undef;
 my $opt_testenv = 0;
 my $opt_list = 0;
 my $ldap = undef;
 my $opt_resetup_env = undef;
-my $opt_bindir = undef;
 my $opt_load_list = undef;
+my $opt_libnss_wrapper_so_path = "";
+my $opt_libresolv_wrapper_so_path = "";
+my $opt_libsocket_wrapper_so_path = "";
+my $opt_libuid_wrapper_so_path = "";
+my $opt_use_dns_faking = 0;
 my @testlists = ();
 
 my $srcdir = ".";
-my $builddir = ".";
-my $exeext = "";
+my $bindir = "./bin";
 my $prefix = "./st";
 
 my @includes = ();
 my @excludes = ();
-
-sub pipe_handler {
-        my $sig = shift @_;
-        print STDERR "Exiting early because of SIGPIPE.\n";
-        exit(1);
-}
-
-$SIG{PIPE} = \&pipe_handler;
 
 sub find_in_list($$)
@@ -301 +191 @@
 Generic options:
  --help                     this help page
- --target=samba[34]|win|kvm Samba version to target
- --testlist=FILE            file to read available tests from
+ --target=samba[3]|win      Samba version to target
+ --testlist=FILE            file to read available tests from
+ --exclude=FILE             Exclude tests listed in the file
+ --include=FILE             Include tests listed in the file
 
 Paths:
  --prefix=DIR               prefix to run tests in [st]
  --srcdir=DIR               source directory [.]
- --builddir=DIR             output directory [.]
- --exeext=EXT               executable extention []
+ --bindir=DIR               binaries directory [./bin]
+
+Preload cwrap:
+ --nss_wrapper_so_path=FILE the nss_wrapper library to preload
+ --resolv_wrapper_so_path=FILE the resolv_wrapper library to preload
+ --socket_wrapper_so_path=FILE the socket_wrapper library to preload
+ --uid_wrapper_so_path=FILE the uid_wrapper library to preload
+
+DNS:
+  --use-dns-faking          Fake DNS entries rather than talking to our
+                            DNS implementation.
 
 Target Specific:
- --socket-wrapper-pcap      save traffic to pcap directories
+ --socket-wrapper-pcap      save traffic to pcap directories
  --socket-wrapper-keep-pcap keep all pcap files, not just those for tests that 
                             failed
  --socket-wrapper           enable socket wrapper
- --bindir=PATH              path to target binaries
 
 Samba4 Specific:
  --ldap=openldap|fedora-ds  back samba onto specified ldap server
-
-Kvm Specific:
- --image=PATH               path to KVM image
 
 Behaviour:
  --quick                    run quick overall test
  --one                      abort when the first test fails
- --verbose                  be verbose
  --testenv                  run a shell in the requested test environment
  --list                     list available tests
@@ -345 +241 @@
                 'include=s' => \@opt_include,
                 'srcdir=s' => \$srcdir,
-                'builddir=s' => \$builddir,
-                'exeext=s' => \$exeext,
-                'verbose' => \$opt_verbose,
+                'bindir=s' => \$bindir,
                 'testenv' => \$opt_testenv,
                 'list' => \$opt_list,
                 'ldap:s' => \$ldap,
                 'resetup-environment' => \$opt_resetup_env,
-                'bindir:s' => \$opt_bindir,
-                'image=s' => \$opt_image,
                 'testlist=s' => \@testlists,
+                'random-order' => \$opt_random_order,
                 'load-list=s' => \$opt_load_list,
+                'nss_wrapper_so_path=s' => \$opt_libnss_wrapper_so_path,
+                'resolv_wrapper_so_path=s' => \$opt_libresolv_wrapper_so_path,
+                'socket_wrapper_so_path=s' => \$opt_libsocket_wrapper_so_path,
+                'uid_wrapper_so_path=s' => \$opt_libuid_wrapper_so_path,
+                'use-dns-faking' => \$opt_use_dns_faking
             );
 
@@ -372 +270 @@
 unless (defined($ENV{VALGRIND})) {
         $ENV{VALIDATE} = "validate";
-        $ENV{MALLOC_CHECK_} = 2;
+        $ENV{MALLOC_CHECK_} = 3;
 }
 
@@ -378 +276 @@
 $ENV{PYTHONUNBUFFERED} = 1;
 
-my $bindir = ($opt_bindir or "$builddir/bin");
 my $bindir_abs = abs_path($bindir);
 
@@ -402 +299 @@
 die("using an empty prefix isn't allowed") unless $prefix ne "";
 
-#Ensure we have the test prefix around
-mkdir($prefix, 0777) unless -d $prefix;
+# Ensure we have the test prefix around.
+#
+# We need restrictive
+# permissions on this as some subdirectories in this tree will have
+# wider permissions (ie 0777) and this would allow other users on the
+# host to subvert the test process.
+mkdir($prefix, 0700) unless -d $prefix;
+chmod 0700, $prefix;
 
 my $prefix_abs = abs_path($prefix);
@@ -410 +313 @@
 
 my $srcdir_abs = abs_path($srcdir);
-my $builddir_abs = abs_path($builddir);
 
 die("using an empty absolute prefix isn't allowed") unless $prefix_abs ne "";
@@ -420 +322 @@
 $ENV{SRCDIR} = $srcdir;
 $ENV{SRCDIR_ABS} = $srcdir_abs;
-$ENV{BUILDDIR} = $builddir;
-$ENV{BUILDDIR_ABS} = $builddir_abs;
 $ENV{BINDIR} = $bindir_abs;
-$ENV{EXEEXT} = $exeext;
 
 my $tls_enabled = not $opt_quick;
@@ -449 +348 @@
         $opt_socket_wrapper = 1;
 }
+
+my $ld_preload = $ENV{LD_PRELOAD};
+
+if ($opt_libnss_wrapper_so_path) {
+        if ($ld_preload) {
+                $ld_preload = "$ld_preload:$opt_libnss_wrapper_so_path";
+        } else {
+                $ld_preload = "$opt_libnss_wrapper_so_path";
+        }
+}
+
+if ($opt_libresolv_wrapper_so_path) {
+        if ($ld_preload) {
+                $ld_preload = "$ld_preload:$opt_libresolv_wrapper_so_path";
+        } else {
+                $ld_preload = "$opt_libresolv_wrapper_so_path";
+        }
+}
+
+if ($opt_libsocket_wrapper_so_path) {
+        if ($ld_preload) {
+                $ld_preload = "$ld_preload:$opt_libsocket_wrapper_so_path";
+        } else {
+                $ld_preload = "$opt_libsocket_wrapper_so_path";
+        }
+}
+
+if ($opt_libuid_wrapper_so_path) {
+        if ($ld_preload) {
+                $ld_preload = "$ld_preload:$opt_libuid_wrapper_so_path";
+        } else {
+                $ld_preload = "$opt_libuid_wrapper_so_path";
+        }
+}
+
+$ENV{LD_PRELOAD} = $ld_preload;
+print "LD_PRELOAD=$ENV{LD_PRELOAD}\n";
+
+# Enable uid_wrapper globally
+$ENV{UID_WRAPPER} = 1;
+
+# Disable RTLD_DEEPBIND hack for Samba bind dlz module
+#
+# This is needed in order to allow the ldb_*ldap module
+# to work with a preloaded socket wrapper.
+$ENV{LDB_MODULES_DISABLE_DEEPBIND} = 1;
 
 my $socket_wrapper_dir;
@@ -454 +399 @@
         $socket_wrapper_dir = SocketWrapper::setup_dir("$prefix_abs/w", $opt_socket_wrapper_pcap);
         print "SOCKET_WRAPPER_DIR=$socket_wrapper_dir\n";
-} else {
-         unless ($< == 0) { 
-                 print "WARNING: Not using socket wrapper, but also not running as root. Will not be able to listen on proper ports\n";
+} elsif (not $opt_list) {
+         unless ($< == 0) {
+                 warn("not using socket wrapper, but also not running as root. Will not be able to listen on proper ports");
          }
+}
+
+if ($opt_use_dns_faking) {
+        print "DNS: Faking nameserver\n";
+        $ENV{SAMBA_DNS_FAKING} = 1;
 }
 
@@ -463 +413 @@
 my $testenv_default = "none";
 
-if ($opt_target eq "samba4") {
-        $testenv_default = "all";
-        require target::Samba4;
-        $target = new Samba4($bindir, $ldap, $srcdir, $exeext);
-} elsif ($opt_target eq "samba3") {
-        if ($opt_socket_wrapper and `$bindir/smbd -b | grep SOCKET_WRAPPER` eq "") {
-                die("You must include --enable-socket-wrapper when compiling Samba in order to execute 'make test'.  Exiting....");
-        }
-        $testenv_default = "member";
-        require target::Samba3;
-        $target = new Samba3($bindir, $srcdir_abs);
-} elsif ($opt_target eq "win") {
-        die("Windows tests will not run with socket wrapper enabled.") 
-                if ($opt_socket_wrapper);
-        $testenv_default = "dc";
-        require target::Windows;
-        $target = new Windows();
-} elsif ($opt_target eq "kvm") {
-        die("Kvm tests will not run with socket wrapper enabled.") 
-                if ($opt_socket_wrapper);
-        require target::Kvm;
-        die("No image specified") unless ($opt_image);
-        $target = new Kvm($opt_image, undef);
-}
-
-#
-# Start a Virtual Distributed Ethernet Switch
-# Returns the pid of the switch.
-#
-sub start_vde_switch($)
-{
-        my ($path) = @_;
-
-        system("vde_switch --pidfile $path/vde.pid --sock $path/vde.sock --daemon");
-
-        open(PID, "$path/vde.pid");
-        <PID> =~ /([0-9]+)/;
-        my $pid = $1;
-        close(PID);
-
-        return $pid;
-}
-
-# Stop a Virtual Distributed Ethernet Switch
-sub stop_vde_switch($)
-{
-        my ($pid) = @_;
-        kill 9, $pid;
+# After this many seconds, the server will self-terminate.  All tests
+# must terminate in this time, and testenv will only stay alive this
+# long
+
+my $server_maxtime;
+if ($opt_testenv) {
+    # 1 year should be enough :-)
+    $server_maxtime = 365 * 24 * 60 * 60;
+} else {
+    # make test should run under 4 hours
+    $server_maxtime = 4 * 60 * 60;
+}
+
+if (defined($ENV{SMBD_MAXTIME}) and $ENV{SMBD_MAXTIME} ne "") {
+    $server_maxtime = $ENV{SMBD_MAXTIME};
+}
+
+unless ($opt_list) {
+        if ($opt_target eq "samba") {
+                $testenv_default = "ad_dc_ntvfs";
+                require target::Samba;
+                $target = new Samba($bindir, $ldap, $srcdir, $server_maxtime);
+        } elsif ($opt_target eq "samba3") {
+                $testenv_default = "nt4_member";
+                require target::Samba3;
+                $target = new Samba3($bindir, $srcdir_abs, $server_maxtime);
+        }
 }
 
@@ -570 +499 @@
         }
 
+        if ( -d "$clientdir/statedir" ) {
+                unlink <$clientdir/statedir/*>;
+        } else {
+                mkdir("$clientdir/statedir", 0777);
+        }
+
+        if ( -d "$clientdir/cachedir" ) {
+                unlink <$clientdir/cachedir/*>;
+        } else {
+                mkdir("$clientdir/cachedir", 0777);
+        }
+
+        # this is ugly, but the ncalrpcdir needs exactly 0755
+        # otherwise tests fail.
+        my $mask = umask;
+        umask 0022;
+        if ( -d "$clientdir/ncalrpcdir/np" ) {
+                unlink <$clientdir/ncalrpcdir/np/*>;
+                rmdir "$clientdir/ncalrpcdir/np";
+        }
         if ( -d "$clientdir/ncalrpcdir" ) {
                 unlink <$clientdir/ncalrpcdir/*>;
-        } else {
-                mkdir("$clientdir/ncalrpcdir", 0777);
-        }
+                rmdir "$clientdir/ncalrpcdir";
+        }
+        mkdir("$clientdir/ncalrpcdir", 0755);
+        umask $mask;
+
+        my $cadir = "$ENV{SRCDIR_ABS}/selftest/manage-ca/CA-samba.example.com";
+        my $cacert = "$cadir/Public/CA-samba.example.com-cert.pem";
+        my $cacrl_pem = "$cadir/Public/CA-samba.example.com-crl.pem";
+        my $ca_users_dir = "$cadir/Users";
+
+        if ( -d "$clientdir/pkinit" ) {
+                unlink <$clientdir/pkinit/*>;
+        } else {
+                mkdir("$clientdir/pkinit", 0700);
+        }
+
+        # each user has a USER-${USER_PRINCIPAL_NAME}-cert.pem and
+        # USER-${USER_PRINCIPAL_NAME}-private-key.pem symlink
+        # We make a copy here and make the certificated easily
+        # accessable in the client environment.
+        my $mask = umask;
+        umask 0077;
+        opendir USERS, "${ca_users_dir}" or die "Could not open dir '${ca_users_dir}': $!";
+        for my $d (readdir USERS) {
+                my $user_dir = "${ca_users_dir}/${d}";
+                next if ${d} =~ /^\./;
+                next if (! -d "${user_dir}");
+                opendir USER, "${user_dir}" or die "Could not open dir '${user_dir}': $!";
+                for my $l (readdir USER) {
+                        my $user_link = "${user_dir}/${l}";
+                        next if ${l} =~ /^\./;
+                        next if (! -l "${user_link}");
+
+                        my $dest = "${clientdir}/pkinit/${l}";
+                        Samba::copy_file_content(${user_link}, ${dest});
+                }
+                closedir USER;
+        }
+        closedir USERS;
+        umask $mask;
 
         open(CF, ">$conffile");
         print CF "[global]\n";
-        if (defined($ENV{VALGRIND})) {
-                print CF "\ticonv:native = true\n";
-        } else {
-                print CF "\ticonv:native = false\n";
-        }
         print CF "\tnetbios name = client\n";
         if (defined($vars->{DOMAIN})) {
@@ -596 +577 @@
         private dir = $clientdir/private
         lock dir = $clientdir/lockdir
+        state directory = $clientdir/statedir
+        cache directory = $clientdir/cachedir
         ncalrpc dir = $clientdir/ncalrpcdir
-        name resolve order = bcast file
-        panic action = $RealBin/gdb_backtrace \%PID\% \%PROG\%
+        panic action = $RealBin/gdb_backtrace \%d
         max xmit = 32K
         notify:inotify = false
@@ -608 +590 @@
 #We don't want to pass our self-tests if the PAC code is wrong
         gensec:require_pac = true
-        resolv:host file = $prefix_abs/dns_host_file
 #We don't want to run 'speed' tests for very long
         torture:timelimit = 1
+        winbind separator = /
+        tls cafile = ${cacert}
+        tls crlfile = ${cacrl_pem}
+        tls verify peer = no_check
 ";
         close(CF);
@@ -639 +624 @@
 
         while (<IN>) {
-                if (/-- TEST(-LOADLIST|-IDLIST|) --\n/) {
+                if (/-- TEST(-LOADLIST|) --\n/) {
                         my $supports_loadlist = (defined($1) and $1 eq "-LOADLIST");
-                        my $supports_idlist = (defined($1) and $1 eq "-IDLIST");
                         my $name = <IN>;
                         $name =~ s/\n//g;
                         my $env = <IN>;
                         $env =~ s/\n//g;
+                        my $loadlist;
+                        if ($supports_loadlist) {
+                                $loadlist = <IN>;
+                                $loadlist =~ s/\n//g;
+                        }
                         my $cmdline = <IN>;
                         $cmdline =~ s/\n//g;
                         if (should_run_test($name) == 1) {
-                                push (@ret, [$name, $env, $cmdline, $supports_loadlist, $supports_idlist]);
+                                push (@ret, [$name, $env, $cmdline, $loadlist]);
                         }
                 } else {
@@ -655 +644 @@
                 }
         }
-        close(IN) or die("Error creating recipe");
+        close(IN) or die("Error creating recipe from $filename");
         return @ret;
 }
@@ -671 +660 @@
         $ENV{SELFTEST_INTERFACES} = "";
 }
-if ($opt_verbose) {
-        $ENV{SELFTEST_VERBOSE} = "1";
-} else {
-        $ENV{SELFTEST_VERBOSE} = "";
-}
 if ($opt_quick) {
         $ENV{SELFTEST_QUICK} = "1";
@@ -681 +665 @@
         $ENV{SELFTEST_QUICK} = "";
 }
-$ENV{SELFTEST_TARGET} = $opt_target;
 $ENV{SELFTEST_MAXTIME} = $torture_maxtime;
 
@@ -728 +711 @@
                 if ($match) {
                         if (defined($skipreason)) {
+                                if (not $opt_list) {
                                         Subunit::skip_testsuite($name, $skipreason);
+                                }
                         } else {
                                 push(@todo, $testsuite);
@@ -734 +719 @@
                 }
         } elsif (defined($skipreason)) {
-                Subunit::skip_testsuite($name, $skipreason);
+                if (not $opt_list) {
+                        Subunit::skip_testsuite($name, $skipreason);
+                }
         } else {
                 push(@todo, $testsuite);
@@ -753 +740 @@
 my $suitestotal = $#todo + 1;
 
-Subunit::progress($suitestotal);
-Subunit::report_time(time());
+unless ($opt_list) {
+        Subunit::progress($suitestotal);
+        Subunit::report_time(time());
+}
 
 my $i = 0;
@@ -777 +766 @@
         "REALM",
 
+        # stuff related to a trusted domain
+        "TRUST_SERVER",
+        "TRUST_SERVER_IP",
+        "TRUST_SERVER_IPV6",
+        "TRUST_NETBIOSNAME",
+        "TRUST_USERNAME",
+        "TRUST_PASSWORD",
+        "TRUST_DOMAIN",
+        "TRUST_REALM",
+
         # domain controller stuff
         "DC_SERVER",
         "DC_SERVER_IP",
+        "DC_SERVER_IPV6",
         "DC_NETBIOSNAME",
         "DC_NETBIOSALIAS",
@@ -786 +786 @@
         "MEMBER_SERVER",
         "MEMBER_SERVER_IP",
+        "MEMBER_SERVER_IPV6",
         "MEMBER_NETBIOSNAME",
         "MEMBER_NETBIOSALIAS",
@@ -792 +793 @@
         "RPC_PROXY_SERVER",
         "RPC_PROXY_SERVER_IP",
+        "RPC_PROXY_SERVER_IPV6",
         "RPC_PROXY_NETBIOSNAME",
         "RPC_PROXY_NETBIOSALIAS",
@@ -798 +800 @@
         "VAMPIRE_DC_SERVER",
         "VAMPIRE_DC_SERVER_IP",
+        "VAMPIRE_DC_SERVER_IPV6",
         "VAMPIRE_DC_NETBIOSNAME",
         "VAMPIRE_DC_NETBIOSALIAS",
+
+        "PROMOTED_DC_SERVER",
+        "PROMOTED_DC_SERVER_IP",
+        "PROMOTED_DC_SERVER_IPV6",
+        "PROMOTED_DC_NETBIOSNAME",
+        "PROMOTED_DC_NETBIOSALIAS",
 
         # server stuff
         "SERVER",
         "SERVER_IP",
+        "SERVER_IPV6",
         "NETBIOSNAME",
         "NETBIOSALIAS",
@@ -814 +824 @@
         "DC_PASSWORD",
 
+        # UID/GID for rfc2307 mapping tests
+        "UID_RFC2307TEST",
+        "GID_RFC2307TEST",
+
         # misc stuff
         "KRB5_CONFIG",
-        "WINBINDD_SOCKET_DIR",
+        "SELFTEST_WINBINDD_SOCKET_DIR",
         "WINBINDD_PRIV_PIPE_DIR",
         "NMBD_SOCKET_DIR",
-        "LOCAL_PATH"
+        "LOCAL_PATH",
+
+        # nss_wrapper
+        "NSS_WRAPPER_PASSWD",
+        "NSS_WRAPPER_GROUP",
+        "NSS_WRAPPER_HOSTS",
+        "NSS_WRAPPER_MODULE_SO_PATH",
+        "NSS_WRAPPER_MODULE_FN_PREFIX",
+
+        # resolv_wrapper
+        "RESOLV_WRAPPER_CONF",
+        "RESOLV_WRAPPER_HOSTS",
 );
 
-$SIG{INT} = $SIG{QUIT} = $SIG{TERM} = sub { 
+sub sighandler($)
+{
         my $signame = shift;
+
+        $SIG{INT} = $SIG{QUIT} = $SIG{TERM} = 'DEFAULT';
+        $SIG{PIPE} = 'IGNORE';
+
+        open(STDOUT, ">&STDERR") or die "can't dup STDOUT to STDERR: $!";
+
+        print "$0: PID[$$]: Got SIG${signame} teardown environments.\n";
         teardown_env($_) foreach(keys %running_envs);
-        die("Received signal $signame");
+        system("pstree -p $$");
+        print "$0: PID[$$]: Exiting...\n";
+        exit(1);
 };
+
+$SIG{INT} = $SIG{QUIT} = $SIG{TERM} = $SIG{PIPE} = \&sighandler;
 
 sub setup_env($$)
@@ -843 +880 @@
         $option = "client" if $option eq "";
 
-        if ($envname eq "none") {
-                $testenv_vars = {};
-        } elsif (defined(get_running_env($envname))) {
+        if (defined(get_running_env($envname))) {
                 $testenv_vars = get_running_env($envname);
                 if (not $testenv_vars->{target}->check_env($testenv_vars)) {
@@ -853 +888 @@
         } else {
                 $testenv_vars = $target->setup_env($envname, $prefix);
-                if (defined($testenv_vars) && not defined($testenv_vars->{target})) {
-                       $testenv_vars->{target} = $target;
+                if (defined($testenv_vars) and $testenv_vars eq "UNKNOWN") {
+                    return $testenv_vars;
+                } elsif (defined($testenv_vars) && not defined($testenv_vars->{target})) {
+                        $testenv_vars->{target} = $target;
+                }
+                if (not defined($testenv_vars)) {
+                        warn("$opt_target can't start up known environment '$envname'");
                 }
         }
@@ -908 +948 @@
 {
         my ($envname) = @_;
-        return 1 if ($envname eq "none");
         my $env = get_running_env($envname);
         return $env->{target}->check_env($env);
@@ -917 +956 @@
         my ($envname) = @_;
         return if ($envname eq "none");
+        print STDERR "teardown_env($envname)\n";
         my $env = get_running_env($envname);
         $env->{target}->teardown_env($env);
@@ -924 +964 @@
 # This 'global' file needs to be empty when we start
 unlink("$prefix_abs/dns_host_file");
+unlink("$prefix_abs/hosts");
+
+if ($opt_random_order) {
+        require List::Util;
+        my @newtodo = List::Util::shuffle(@todo);
+        @todo = @newtodo;
+}
 
 if ($opt_testenv) {
@@ -931 +978 @@
         my $testenv_vars = setup_env($testenv_name, $prefix);
 
-        die("Unable to setup environment $testenv_name") unless ($testenv_vars);
+        if (not $testenv_vars or $testenv_vars eq "UNKNOWN") {
+                die("Unable to setup environment $testenv_name");
+        }
 
         $ENV{PIDDIR} = $testenv_vars->{PIDDIR};
@@ -938 +987 @@
         my $envvarstr = exported_envvars_str($testenv_vars);
 
-        my $term = ($ENV{TERMINAL} or "xterm -e");
-        system("$term 'echo -e \"
+        my @term_args = ("echo -e \"
 Welcome to the Samba4 Test environment '$testenv_name'
 
@@ -950 +998 @@
 
 $envvarstr
-\" && LD_LIBRARY_PATH=$ENV{LD_LIBRARY_PATH} bash'");
+\" && LD_LIBRARY_PATH=$ENV{LD_LIBRARY_PATH} bash");
+        my @term = ();
+        if ($ENV{TERMINAL}) {
+            @term = ($ENV{TERMINAL});
+        } else {
+            @term = ("xterm", "-e");
+            unshift(@term_args, ("bash", "-c"));
+        }
+
+        system(@term, @term_args);
+
         teardown_env($testenv_name);
 } elsif ($opt_list) {
         foreach (@todo) {
-                my $cmd = $$_[2];
                 my $name = $$_[0];
                 my $envname = $$_[1];
-
-                unless($cmd =~ /\$LISTOPT/) {
+                my $cmd = $$_[2];
+                my $listcmd = $$_[3];
+
+                unless (defined($listcmd)) {
                         warn("Unable to list tests in $name");
+                        # Rather than ignoring this testsuite altogether, just pretend the entire testsuite is
+                        # a single "test".
+                        print "$name\n";
                         next;
                 }
 
-                $cmd =~ s/\$LISTOPT/--list/g;
-
-                system($cmd);
+                system($listcmd);
 
                 if ($? == -1) {
-                        die("Unable to run $cmd: $!");
+                        die("Unable to run $listcmd: $!");
                 } elsif ($? & 127) {
-                        die(snprintf("%s died with signal %d, %s coredump\n", $cmd, ($? & 127),  ($? & 128) ? 'with' : 'without'));
+                        die(sprintf("%s died with signal %d, %s coredump\n", $listcmd, ($? & 127),  ($? & 128) ? 'with' : 'without'));
                 }
 
@@ -990 +1050 @@
                         Subunit::end_testsuite($name, "error",
                                 "unable to set up environment $envname - exiting");
+                        next;
+                } elsif ($envvars eq "UNKNOWN") {
+                        Subunit::start_testsuite($name);
+                        Subunit::end_testsuite($name, "skip",
+                                "environment $envname is unknown in this test backend - skipping");
                         next;
                 }
@@ -1002 +1067 @@
                                 }
                                 $cmd =~ s/\$LOADLIST/--load-list=$listid_file/g;
-                        } elsif ($$_[4]) {
-                                $cmd =~ s/\s+[^\s]+\s*$//;
-                                $cmd .= " " . join(' ', @{$individual_tests->{$name}});
+                        } else {
+                                warn("Unable to run individual tests in $name, it does not support --loadlist.");
                         }
                 }

vendor/current/selftest/selftesthelpers.py

@@ -21 +21 @@
 import os
 import subprocess
+import sys
 
 def srcdir():
-    return os.path.normpath(os.path.join(os.path.dirname(os.path.abspath(__file__)), ".."))
+    return os.path.normpath(os.getenv("SRCDIR", os.path.join(os.path.dirname(os.path.abspath(__file__)), "..")))
 
 def source4dir():
-    return os.path.normpath(os.path.join(os.path.dirname(os.path.abspath(__file__)), "../source4"))
+    return os.path.normpath(os.path.join(srcdir(), "source4"))
+
+def source3dir():
+    return os.path.normpath(os.path.join(srcdir(), "source3"))
 
 def bindir():
-    return os.path.normpath(os.path.join(os.getenv("BUILDDIR", "."), "bin"))
+    return os.path.normpath(os.getenv("BINDIR", "./bin"))
 
 def binpath(name):
-    return os.path.join(bindir(), "%s%s" % (name, os.getenv("EXEEXT", "")))
+    return os.path.join(bindir(), name)
 
-perl = os.getenv("PERL", "perl")
-perl = perl.split()
+# Split perl variable to allow $PERL to be set to e.g. "perl -W"
+perl = os.getenv("PERL", "perl").split()
 
 if subprocess.call(perl + ["-e", "eval require Test::More;"]) == 0:
@@ -42 +46 @@
     has_perl_test_more = False
 
-try:
-    from subunit.run import TestProgram
-except ImportError:
-    has_system_subunit_run = False
-else:
-    has_system_subunit_run = True
-
 python = os.getenv("PYTHON", "python")
 
-#Set a default value, overridden if we find a working one on the system
-tap2subunit = "PYTHONPATH=%s/lib/subunit/python:%s/lib/testtools %s %s/lib/subunit/filters/tap2subunit" % (srcdir(), srcdir(), python, srcdir())
+tap2subunit = python + " " + os.path.join(srcdir(), "selftest", "tap2subunit")
 
-sub = subprocess.Popen("tap2subunit 2> /dev/null", stdout=subprocess.PIPE, stdin=subprocess.PIPE, shell=True)
-sub.communicate("")
-
-if sub.returncode == 0:
-    cmd = "echo -ne \"1..1\nok 1 # skip doesn't seem to work yet\n\" | tap2subunit 2> /dev/null | grep skip"
-    sub = subprocess.Popen(cmd, stdout=subprocess.PIPE, stdin=subprocess.PIPE, stderr=subprocess.PIPE, shell=True)
-    if sub.returncode == 0:
-        tap2subunit = "tap2subunit"
 
 def valgrindify(cmdline):
@@ -71 +59 @@
 
 
-def plantestsuite(name, env, cmdline, allow_empty_output=False):
+def plantestsuite(name, env, cmdline):
     """Plan a test suite.
 
@@ -83 +71 @@
     if isinstance(cmdline, list):
         cmdline = " ".join(cmdline)
-    filter_subunit_args = []
-    if not allow_empty_output:
-        filter_subunit_args.append("--fail-on-empty")
     if "$LISTOPT" in cmdline:
-        filter_subunit_args.append("$LISTOPT")
-    print "%s 2>&1 | %s/selftest/filter-subunit %s --prefix=\"%s.\"" % (cmdline,
-                                                                        srcdir(),
-                                                                        " ".join(filter_subunit_args),
-                                                                        name)
-    if allow_empty_output:
-        print "WARNING: allowing empty subunit output from %s" % name
+        raise AssertionError("test %s supports --list, but not --load-list" % name)
+    print cmdline + " 2>&1 " + " | " + add_prefix(name, env)
 
 
-def add_prefix(prefix, support_list=False):
+def add_prefix(prefix, env, support_list=False):
     if support_list:
         listopt = "$LISTOPT "
     else:
         listopt = ""
-    return "%s/selftest/filter-subunit %s--fail-on-empty --prefix=\"%s.\"" % (srcdir(), listopt, prefix)
+    return "%s/selftest/filter-subunit %s--fail-on-empty --prefix=\"%s.\" --suffix=\"(%s)\"" % (srcdir(), listopt, prefix, env)
 
 
@@ -115 +95 @@
         cmdline = " ".join(cmdline)
     support_list = ("$LISTOPT" in cmdline)
-    print "%s $LOADLIST 2>&1 | %s" % (cmdline, add_prefix(name, support_list))
-
-
-def plantestsuite_idlist(name, env, cmdline):
-    print "-- TEST-IDLIST --"
-    print name
-    print env
-    if isinstance(cmdline, list):
-        cmdline = " ".join(cmdline)
-    print cmdline
+    if not "$LISTOPT" in cmdline:
+        raise AssertionError("loadlist test %s does not support not --list" % name)
+    if not "$LOADLIST" in cmdline:
+        raise AssertionError("loadlist test %s does not support --load-list" % name)
+    print ("%s | %s" % (cmdline.replace("$LOADLIST", ""), add_prefix(name, env, support_list))).replace("$LISTOPT", "--list")
+    print cmdline.replace("$LISTOPT", "") + " 2>&1 " + " | " + add_prefix(name, env, False)
 
 
@@ -134 +110 @@
     """
     # FIXME: Report this using subunit, but re-adjust the testsuite count somehow
-    print "skipping %s (%s)" % (name, reason)
+    print >>sys.stderr, "skipping %s (%s)" % (name, reason)
 
 
@@ -149 +125 @@
 
 
-def planpythontestsuite(env, module):
-    if has_system_subunit_run:
-        plantestsuite_idlist(module, env, [python, "-m", "subunit.run", "$LISTOPT", module])
-    else:
-        plantestsuite_idlist(module, env, "PYTHONPATH=$PYTHONPATH:%s/lib/subunit/python:%s/lib/testtools %s -m subunit.run $LISTOPT %s" % (srcdir(), srcdir(), python, module))
+def planpythontestsuite(env, module, name=None, extra_path=[]):
+    if name is None:
+        name = module
+    pypath = list(extra_path)
+    args = [python, "-m", "samba.subunit.run", "$LISTOPT", "$LOADLIST", module]
+    if pypath:
+        args.insert(0, "PYTHONPATH=%s" % ":".join(["$PYTHONPATH"] + pypath))
+    plantestsuite_loadlist(name, env, args)
 
 
+def get_env_torture_options():
+    ret = []
+    if not os.getenv("SELFTEST_VERBOSE"):
+        ret.append("--option=torture:progress=no")
+    if os.getenv("SELFTEST_QUICK"):
+        ret.append("--option=torture:quick=yes")
+    return ret
+
+
+samba4srcdir = source4dir()
+samba3srcdir = source3dir()
+bbdir = os.path.join(srcdir(), "testprogs/blackbox")
+configuration = "--configfile=$SMB_CONF_PATH"
+
+smbtorture4 = binpath("smbtorture")
+smbtorture4_testsuite_list = subprocess.Popen([smbtorture4, "--list-suites"], stdout=subprocess.PIPE, stderr=subprocess.PIPE).communicate("")[0].splitlines()
+
+smbtorture4_options = [
+    configuration,
+    "--option=\'fss:sequence timeout=1\'",
+    "--maximum-runtime=$SELFTEST_MAXTIME",
+    "--basedir=$SELFTEST_TMPDIR",
+    "--format=subunit"
+    ] + get_env_torture_options()
+
+
+def plansmbtorture4testsuite(name, env, options, target, modname=None):
+    if modname is None:
+        modname = "samba4.%s" % name
+    if isinstance(options, list):
+        options = " ".join(options)
+    options = " ".join(smbtorture4_options + ["--target=%s" % target]) + " " + options
+    cmdline = "%s $LISTOPT $LOADLIST %s %s" % (valgrindify(smbtorture4), options, name)
+    plantestsuite_loadlist(modname, env, cmdline)
+
+
+def smbtorture4_testsuites(prefix):
+    return filter(lambda x: x.startswith(prefix), smbtorture4_testsuite_list)
+
+
+smbclient3 = binpath('smbclient')
+smbtorture3 = binpath('smbtorture3')
+ntlm_auth3 = binpath('ntlm_auth')
+net = binpath('net')
+scriptdir = os.path.join(srcdir(), "script/tests")
+
+wbinfo = binpath('wbinfo')
+dbwrap_tool = binpath('dbwrap_tool')
+vfstest = binpath('vfstest')
+smbcquotas = binpath('smbcquotas')
+smbget = binpath('smbget')

vendor/current/selftest/subunithelper.py

@@ -20 +20 @@
 import re
 import sys
-import subunit
-import subunit.iso8601
-import testtools
-
-VALID_RESULTS = ['success', 'successful', 'failure', 'fail', 'skip', 'knownfail', 'error', 'xfail', 'skip-testsuite', 'testsuite-failure', 'testsuite-xfail', 'testsuite-success', 'testsuite-error']
-
-class TestsuiteEnabledTestResult(testtools.testresult.TestResult):
+from samba import subunit
+from samba.subunit.run import TestProtocolClient
+from samba.subunit import iso8601
+import unittest
+
+VALID_RESULTS = ['success', 'successful', 'failure', 'fail', 'skip', 'knownfail', 'error', 'xfail', 'skip-testsuite', 'testsuite-failure', 'testsuite-xfail', 'testsuite-success', 'testsuite-error', 'uxsuccess', 'testsuite-uxsuccess']
+
+class TestsuiteEnabledTestResult(unittest.TestResult):
 
     def start_testsuite(self, name):
@@ -34 +35 @@
 def parse_results(msg_ops, statistics, fh):
     exitcode = 0
-    expected_fail = 0
     open_tests = {}
 
@@ -58 +58 @@
             msg_ops.control_msg(l)
             try:
-                dt = subunit.iso8601.parse_date(arg.rstrip("\n"))
+                dt = iso8601.parse_date(arg.rstrip("\n"))
             except TypeError, e:
                 print "Unable to parse time line: %s" % arg.rstrip("\n")
@@ -112 +112 @@
                     statistics['TESTS_EXPECTED_FAIL']+=1
                     msg_ops.addExpectedFailure(test, remote_error)
-                    expected_fail+=1
+            elif result in ("uxsuccess", ):
+                try:
+                    test = open_tests.pop(testname)
+                except KeyError:
+                    statistics['TESTS_ERROR']+=1
+                    exitcode = 1
+                    msg_ops.addError(subunit.RemotedTestCase(testname), subunit.RemoteError(u"Test was never started"))
+                else:
+                    statistics['TESTS_UNEXPECTED_OK']+=1
+                    msg_ops.addUnexpectedSuccess(test)
+                    exitcode = 1
             elif result in ("failure", "fail"):
                 try:
@@ -149 +159 @@
             elif result == "testsuite-xfail":
                 msg_ops.end_testsuite(testname, "xfail", reason)
+            elif result == "testsuite-uxsuccess":
+                msg_ops.end_testsuite(testname, "uxsuccess", reason)
+                exitcode = 1
             elif result == "testsuite-error":
                 msg_ops.end_testsuite(testname, "error", reason)
@@ -179 +192 @@
 
 
-class SubunitOps(subunit.TestProtocolClient,TestsuiteEnabledTestResult):
+class SubunitOps(TestProtocolClient,TestsuiteEnabledTestResult):
+
+    def progress(self, count, whence):
+        if whence == subunit.PROGRESS_POP:
+            self._stream.write("progress: pop\n")
+        elif whence == subunit.PROGRESS_PUSH:
+            self._stream.write("progress: push\n")
+        elif whence == subunit.PROGRESS_SET:
+            self._stream.write("progress: %d\n" % count)
+        elif whence == subunit.PROGRESS_CUR:
+            raise NotImplementedError
 
     # The following are Samba extensions:
@@ -235 +258 @@
 
 
-class FilterOps(testtools.testresult.TestResult):
+class FilterOps(unittest.TestResult):
 
     def control_msg(self, msg):
@@ -261 +284 @@
 
     def _add_prefix(self, test):
+        prefix = ""
+        suffix = ""
         if self.prefix is not None:
-            return subunit.RemotedTestCase(self.prefix + test.id())
-        else:
-            return test
-
-    def addError(self, test, details=None):
+            prefix = self.prefix
+        if self.suffix is not None:
+            suffix = self.suffix
+
+        return subunit.RemotedTestCase(prefix + test.id() + suffix)
+
+    def addError(self, test, err=None):
         test = self._add_prefix(test)
         self.error_added+=1
         self.total_error+=1
-        self._ops.addError(test, details)
+        self._ops.addError(test, err)
         self.output = None
         if self.fail_immediately:
             raise ImmediateFail()
 
-    def addSkip(self, test, details=None):
+    def addSkip(self, test, reason=None):
         self.seen_output = True
         test = self._add_prefix(test)
-        self._ops.addSkip(test, details)
-        self.output = None
-
-    def addExpectedFailure(self, test, details=None):
+        self._ops.addSkip(test, reason)
+        self.output = None
+
+    def addExpectedFailure(self, test, err=None):
         test = self._add_prefix(test)
-        self._ops.addExpectedFailure(test, details)
-        self.output = None
-
-    def addFailure(self, test, details=None):
+        self._ops.addExpectedFailure(test, err)
+        self.output = None
+
+    def addUnexpectedSuccess(self, test):
+        test = self._add_prefix(test)
+        self.uxsuccess_added+=1
+        self.total_uxsuccess+=1
+        self._ops.addUnexpectedSuccess(test)
+        if self.output:
+            self._ops.output_msg(self.output)
+        self.output = None
+        if self.fail_immediately:
+            raise ImmediateFail()
+
+    def addFailure(self, test, err=None):
         test = self._add_prefix(test)
         xfail_reason = find_in_list(self.expected_failures, test.id())
+        if xfail_reason is None:
+            xfail_reason = find_in_list(self.flapping, test.id())
         if xfail_reason is not None:
             self.xfail_added+=1
             self.total_xfail+=1
-            if details is not None:
-                details = subunit.RemoteError(unicode(details[1]) + xfail_reason.decode("utf-8"))
-            else:
-                details = subunit.RemoteError(xfail_reason.decode("utf-8"))
-            self._ops.addExpectedFailure(test, details)
+            self._ops.addExpectedFailure(test, err)
         else:
             self.fail_added+=1
             self.total_fail+=1
-            self._ops.addFailure(test, details)
+            self._ops.addFailure(test, err)
             if self.output:
                 self._ops.output_msg(self.output)
@@ -307 +343 @@
         self.output = None
 
-    def addSuccess(self, test, details=None):
+    def addSuccess(self, test):
         test = self._add_prefix(test)
-        self._ops.addSuccess(test, details)
+        xfail_reason = find_in_list(self.expected_failures, test.id())
+        if xfail_reason is not None:
+            self.uxsuccess_added += 1
+            self.total_uxsuccess += 1
+            self._ops.addUnexpectedSuccess(test)
+            if self.output:
+                self._ops.output_msg(self.output)
+            if self.fail_immediately:
+                raise ImmediateFail()
+        else:
+            self._ops.addSuccess(test)
         self.output = None
 
@@ -320 +366 @@
         self.fail_added = 0
         self.xfail_added = 0
+        self.uxsuccess_added = 0
 
     def end_testsuite(self, name, result, reason=None):
@@ -326 +373 @@
         if self.xfail_added > 0:
             xfail = True
-        if self.fail_added > 0 or self.error_added > 0:
+        if self.fail_added > 0 or self.error_added > 0 or self.uxsuccess_added > 0:
             xfail = False
 
         if xfail and result in ("fail", "failure"):
             result = "xfail"
+
+        if self.uxsuccess_added > 0 and result != "uxsuccess":
+            result = "uxsuccess"
+            if reason is None:
+                reason = "Subunit/Filter Reason"
+            reason += "\n uxsuccess[%d]" % self.uxsuccess_added
 
         if self.fail_added > 0 and result != "failure":
@@ -345 +398 @@
 
         self._ops.end_testsuite(name, result, reason)
-
-    def __init__(self, out, prefix=None, expected_failures=None,
-                 strip_ok_output=False, fail_immediately=False):
+        if result not in ("success", "xfail"):
+            if self.output:
+                self._ops.output_msg(self.output)
+            if self.fail_immediately:
+                raise ImmediateFail()
+        self.output = None
+
+    def __init__(self, out, prefix=None, suffix=None, expected_failures=None,
+                 strip_ok_output=False, fail_immediately=False,
+                 flapping=None):
         self._ops = out
         self.seen_output = False
         self.output = None
         self.prefix = prefix
+        self.suffix = suffix
         if expected_failures is not None:
             self.expected_failures = expected_failures
         else:
             self.expected_failures = {}
+        if flapping is not None:
+            self.flapping = flapping
+        else:
+            self.flapping = {}
         self.strip_ok_output = strip_ok_output
         self.xfail_added = 0
         self.fail_added = 0
+        self.uxsuccess_added = 0
         self.total_xfail = 0
         self.total_error = 0
         self.total_fail = 0
+        self.total_uxsuccess = 0
         self.error_added = 0
         self.fail_immediately = fail_immediately
@@ -420 +487 @@
             self.test_output[name] = ""
 
-        out = "[%d" % self.index
+        total_tests = (self.statistics['TESTS_EXPECTED_OK'] +
+                       self.statistics['TESTS_EXPECTED_FAIL'] +
+                       self.statistics['TESTS_ERROR'] +
+                       self.statistics['TESTS_UNEXPECTED_FAIL'] +
+                       self.statistics['TESTS_UNEXPECTED_OK'])
+
+        out = "[%d(%d)" % (self.index, total_tests)
         if self.totalsuites is not None:
             out += "/%d" % self.totalsuites
         if self.start_time is not None:
-            out += " in " + self._format_time(self.last_time - self.start_time)
+            out += " at " + self._format_time(self.last_time - self.start_time)
         if self.suitesfailed:
             out += ", %d errors" % (len(self.suitesfailed),)
@@ -476 +549 @@
         self.end_test(test.id(), "success", False)
 
-    def addError(self, test, details=None):
-        self.end_test(test.id(), "error", True, details)
-
-    def addFailure(self, test, details=None):
-        self.end_test(test.id(), "failure", True, details)
-
-    def addSkip(self, test, details=None):
-        self.end_test(test.id(), "skip", False, details)
-
-    def addExpectedFail(self, test, details=None):
-        self.end_test(test.id(), "xfail", False, details)
-
-    def end_test(self, testname, result, unexpected, reason=None):
+    def addError(self, test, err=None):
+        self.end_test(test.id(), "error", True, err)
+
+    def addFailure(self, test, err=None):
+        self.end_test(test.id(), "failure", True, err)
+
+    def addSkip(self, test, reason=None):
+        self.end_test(test.id(), "skip", False, reason)
+
+    def addExpectedFailure(self, test, err=None):
+        self.end_test(test.id(), "xfail", False, err)
+
+    def addUnexpectedSuccess(self, test):
+        self.end_test(test.id(), "uxsuccess", True)
+
+    def end_test(self, testname, result, unexpected, err=None):
         if not unexpected:
             self.test_output[self.name] = ""
@@ -503 +579 @@
 
         self.test_output[self.name] += "UNEXPECTED(%s): %s\n" % (result, testname)
-        if reason is not None:
-            self.test_output[self.name] += "REASON: %s\n" % (unicode(reason[1]).encode("utf-8").strip(),)
+        if err is not None:
+            self.test_output[self.name] += "REASON: %s\n" % str(err[1]).strip()
 
         if self.immediate and not self.verbose:
-            print self.test_output[self.name]
+            sys.stdout.write(self.test_output[self.name])
             self.test_output[self.name] = ""
 
@@ -514 +590 @@
                'error': 'E',
                'failure': 'F',
+               'uxsuccess': 'U',
                'success': 'S'}.get(result, "?"))
 
@@ -547 +624 @@
         if (not self.suitesfailed and
             not self.statistics['TESTS_UNEXPECTED_FAIL'] and
+            not self.statistics['TESTS_UNEXPECTED_OK'] and
             not self.statistics['TESTS_ERROR']):
             ok = (self.statistics['TESTS_EXPECTED_OK'] +
@@ -552 +630 @@
             print "\nALL OK (%d tests in %d testsuites)" % (ok, self.suites_ok)
         else:
-            print "\nFAILED (%d failures and %d errors in %d testsuites)" % (
+            print "\nFAILED (%d failures, %d errors and %d unexpected successes in %d testsuites)" % (
                 self.statistics['TESTS_UNEXPECTED_FAIL'],
                 self.statistics['TESTS_ERROR'],
+                self.statistics['TESTS_UNEXPECTED_OK'],
                 len(self.suitesfailed))
 

vendor/current/selftest/target/Samba3.pm

@@ -10 +10 @@
 use FindBin qw($RealBin);
 use POSIX;
-
-sub binpath($$)
+use target::Samba;
+
+sub have_ads($) {
+        my ($self) = @_;
+        my $found_ads = 0;
+        my $smbd_build_options = Samba::bindir_path($self, "smbd") . " -b|";
+        open(IN, $smbd_build_options) or die("Unable to run $smbd_build_options: $!");
+
+        while (<IN>) {
+                if (/WITH_ADS/) {
+                       $found_ads = 1;
+                }
+        }
+        close IN;
+
+        # If we were not built with ADS support, pretend we were never even available
+        print "smbd does not have ADS support\n" unless $found_ads;
+        return $found_ads;
+}
+
+# return smb.conf parameters applicable to @path, based on the underlying
+# filesystem type
+sub get_fs_specific_conf($$)
 {
-        my ($self, $binary) = @_;
-
-        if (defined($self->{bindir})) {
-                my $path = "$self->{bindir}/$binary";
-                -f $path or die("File $path doesn't exist");
-                return $path;
-        }
-
-        return $binary;
+        my ($self, $path) = @_;
+        my $mods = "";
+        my $stat_out = `stat --file-system $path` or return "";
+
+        if ($stat_out =~ m/Type:\s+btrfs/) {
+                $mods .= "btrfs ";
+        }
+
+        if ($mods) {
+                return "vfs objects = $mods";
+        }
+
+        return undef;
 }
 
 sub new($$) {
-        my ($classname, $bindir, $srcdir) = @_;
-        my $self = { bindir => $bindir,
-                     srcdir => $srcdir
+        my ($classname, $bindir, $srcdir, $server_maxtime) = @_;
+        my $self = { vars => {},
+                     bindir => $bindir,
+                     srcdir => $srcdir,
+                     server_maxtime => $server_maxtime
         };
         bless $self;
@@ -36 +63 @@
 {
         my ($self, $envvars) = @_;
-
-        my $smbdpid = read_pid($envvars, "smbd");
-        my $nmbdpid = read_pid($envvars, "nmbd");
-        my $winbinddpid = read_pid($envvars, "winbindd");
+        my $count = 0;
+
+        # This should cause smbd to terminate gracefully
+        close($envvars->{STDIN_PIPE});
+
+        my $smbdpid = $envvars->{SMBD_TL_PID};
+        my $nmbdpid = $envvars->{NMBD_TL_PID};
+        my $winbinddpid = $envvars->{WINBINDD_TL_PID};
+
+        # This should give it time to write out the gcov data
+        until ($count > 20) {
+            my $smbdchild = Samba::cleanup_child($smbdpid, "smbd");
+            my $nmbdchild = Samba::cleanup_child($nmbdpid, "nmbd");
+            my $winbinddchild = Samba::cleanup_child($winbinddpid, "winbindd");
+            if ($smbdchild == -1
+                && $nmbdchild == -1
+                && $winbinddchild == -1) {
+                last;
+            }
+            sleep(1);
+            $count++;
+        }
+
+        if ($count <= 20 && kill(0, $smbdpid, $nmbdpid, $winbinddpid) == 0) {
+            return;
+        }
 
         $self->stop_sig_term($smbdpid);
@@ -45 +94 @@
         $self->stop_sig_term($winbinddpid);
 
-        sleep(2);
-
+        $count = 0;
+        until ($count > 10) {
+            my $smbdchild = Samba::cleanup_child($smbdpid, "smbd");
+            my $nmbdchild = Samba::cleanup_child($nmbdpid, "nmbd");
+            my $winbinddchild = Samba::cleanup_child($winbinddpid, "winbindd");
+            if ($smbdchild == -1
+                && $nmbdchild == -1
+                && $winbinddchild == -1) {
+                last;
+            }
+            sleep(1);
+            $count++;
+        }
+
+        if ($count <= 10 && kill(0, $smbdpid, $nmbdpid, $winbinddpid) == 0) {
+            return;
+        }
+
+        warn("timelimit process did not quit on SIGTERM, sending SIGKILL");
         $self->stop_sig_kill($smbdpid);
         $self->stop_sig_kill($nmbdpid);
@@ -91 +157 @@
         my ($self, $envvars) = @_;
 
+        my $childpid = waitpid(-1, WNOHANG);
+
         # TODO ...
         return 1;
@@ -98 +166 @@
 {
         my ($self, $envname, $path) = @_;
-        
-        if ($envname eq "s3dc") {
-                return $self->setup_dc("$path/s3dc");
-        } elsif ($envname eq "secshare") {
-                return $self->setup_secshare("$path/secshare");
-        } elsif ($envname eq "secserver") {
-                if (not defined($self->{vars}->{s3dc})) {
-                        $self->setup_dc("$path/s3dc");
-                }
-                return $self->setup_secserver("$path/secserver", $self->{vars}->{s3dc});
-        } elsif ($envname eq "member") {
-                if (not defined($self->{vars}->{s3dc})) {
-                        $self->setup_dc("$path/s3dc");
-                }
-                return $self->setup_member("$path/member", $self->{vars}->{s3dc});
+
+        $ENV{ENVNAME} = $envname;
+
+        if (defined($self->{vars}->{$envname})) {
+                return $self->{vars}->{$envname};
+        }
+
+        #
+        # Avoid hitting system krb5.conf -
+        # An env that needs Kerberos will reset this to the real
+        # value.
+        #
+        $ENV{KRB5_CONFIG} = "$path/no_krb5.conf";
+
+        if ($envname eq "nt4_dc") {
+                return $self->setup_nt4_dc("$path/nt4_dc");
+        } elsif ($envname eq "nt4_dc_schannel") {
+                return $self->setup_nt4_dc_schannel("$path/nt4_dc_schannel");
+        } elsif ($envname eq "simpleserver") {
+                return $self->setup_simpleserver("$path/simpleserver");
+        } elsif ($envname eq "fileserver") {
+                return $self->setup_fileserver("$path/fileserver");
+        } elsif ($envname eq "maptoguest") {
+                return $self->setup_maptoguest("$path/maptoguest");
+        } elsif ($envname eq "ktest") {
+                return $self->setup_ktest("$path/ktest");
+        } elsif ($envname eq "nt4_member") {
+                if (not defined($self->{vars}->{nt4_dc})) {
+                        if (not defined($self->setup_nt4_dc("$path/nt4_dc"))) {
+                                return undef;
+                        }
+                }
+                return $self->setup_nt4_member("$path/nt4_member", $self->{vars}->{nt4_dc});
         } else {
-                return undef;
-        }
-}
-
-sub setup_dc($$)
+                return "UNKNOWN";
+        }
+}
+
+sub setup_nt4_dc($$)
 {
         my ($self, $path) = @_;
 
-        print "PROVISIONING S3DC...";
-
-        my $s3dc_options = "
+        print "PROVISIONING NT4 DC...";
+
+        my $nt4_dc_options = "
         domain master = yes
         domain logons = yes
         lanman auth = yes
         raw NTLMv2 auth = yes
+
+        rpc_server:epmapper = external
+        rpc_server:spoolss = external
+        rpc_server:lsarpc = external
+        rpc_server:samr = external
+        rpc_server:netlogon = external
+        rpc_server:register_embedded_np = yes
+        rpc_server:FssagentRpc = external
+
+        rpc_daemon:epmd = fork
+        rpc_daemon:spoolssd = fork
+        rpc_daemon:lsasd = fork
+        rpc_daemon:fssd = fork
+        fss: sequence timeout = 1
 ";
 
         my $vars = $self->provision($path,
-                                    "LOCALS3DC2",
-                                    2,
-                                    "locals3dc2pass",
-                                    $s3dc_options);
-
-        $self->check_or_start($vars,
-                              ($ENV{SMBD_MAXTIME} or 2700),
-                               "yes", "yes", "yes");
-
-        $self->wait_for_start($vars);
+                                    "LOCALNT4DC2",
+                                    "localntdc2pass",
+                                    $nt4_dc_options);
+
+        $vars or return undef;
+
+        if (not $self->check_or_start($vars, "yes", "yes", "yes")) {
+               return undef;
+        }
 
         $vars->{DC_SERVER} = $vars->{SERVER};
         $vars->{DC_SERVER_IP} = $vars->{SERVER_IP};
+        $vars->{DC_SERVER_IPV6} = $vars->{SERVER_IPV6};
         $vars->{DC_NETBIOSNAME} = $vars->{NETBIOSNAME};
         $vars->{DC_USERNAME} = $vars->{USERNAME};
         $vars->{DC_PASSWORD} = $vars->{PASSWORD};
 
-        $self->{vars}->{s3dc} = $vars;
+        $self->{vars}->{nt4_dc} = $vars;
 
         return $vars;
 }
 
-sub setup_member($$$)
+sub setup_nt4_dc_schannel($$)
 {
-        my ($self, $prefix, $s3dcvars) = @_;
+        my ($self, $path) = @_;
+
+        print "PROVISIONING NT4 DC WITH SERVER SCHANNEL ...";
+
+        my $pdc_options = "
+        domain master = yes
+        domain logons = yes
+        lanman auth = yes
+
+        rpc_server:epmapper = external
+        rpc_server:spoolss = external
+        rpc_server:lsarpc = external
+        rpc_server:samr = external
+        rpc_server:netlogon = external
+        rpc_server:register_embedded_np = yes
+
+        rpc_daemon:epmd = fork
+        rpc_daemon:spoolssd = fork
+        rpc_daemon:lsasd = fork
+
+        server schannel = yes
+";
+
+        my $vars = $self->provision($path,
+                                    "LOCALNT4DC9",
+                                    "localntdc9pass",
+                                    $pdc_options);
+
+        $vars or return undef;
+
+        if (not $self->check_or_start($vars, "yes", "yes", "yes")) {
+               return undef;
+        }
+
+        $vars->{DC_SERVER} = $vars->{SERVER};
+        $vars->{DC_SERVER_IP} = $vars->{SERVER_IP};
+        $vars->{DC_SERVER_IPV6} = $vars->{SERVER_IPV6};
+        $vars->{DC_NETBIOSNAME} = $vars->{NETBIOSNAME};
+        $vars->{DC_USERNAME} = $vars->{USERNAME};
+        $vars->{DC_PASSWORD} = $vars->{PASSWORD};
+
+        $self->{vars}->{nt4_dc_schannel} = $vars;
+
+        return $vars;
+}
+
+sub setup_nt4_member($$$)
+{
+        my ($self, $prefix, $nt4_dc_vars) = @_;
+        my $count = 0;
+        my $rc;
 
         print "PROVISIONING MEMBER...";
@@ -163 +313 @@
         security = domain
         server signing = on
+        dbwrap_tdb_mutexes:* = yes
 ";
         my $ret = $self->provision($prefix,
-                                   "LOCALMEMBER3",
-                                   3,
-                                   "localmember3pass",
+                                   "LOCALNT4MEMBER3",
+                                   "localnt4member3pass",
                                    $member_options);
 
-        $ret or die("Unable to provision");
-
-        my $net = $self->binpath("net");
+        $ret or return undef;
+
+        my $nmblookup = Samba::bindir_path($self, "nmblookup");
+        do {
+                print "Waiting for the LOGON SERVER registration ...\n";
+                $rc = system("$nmblookup $ret->{CONFIGURATION} $ret->{DOMAIN}\#1c");
+                if ($rc != 0) {
+                        sleep(1);
+                }
+                $count++;
+        } while ($rc != 0 && $count < 10);
+        if ($count == 10) {
+                print "NMBD not reachable after 10 retries\n";
+                teardown_env($self, $ret);
+                return 0;
+        }
+
+        my $net = Samba::bindir_path($self, "net");
         my $cmd = "";
         $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
-        $cmd .= "$net join $ret->{CONFIGURATION} $s3dcvars->{DOMAIN} member";
-        $cmd .= " -U$s3dcvars->{USERNAME}\%$s3dcvars->{PASSWORD}";
-
-        system($cmd) == 0 or die("Join failed\n$cmd");
-
-        $self->check_or_start($ret,
-                              ($ENV{SMBD_MAXTIME} or 2700),
-                               "yes", "yes", "yes");
-
-        $self->wait_for_start($ret);
-
-        $ret->{DC_SERVER} = $s3dcvars->{SERVER};
-        $ret->{DC_SERVER_IP} = $s3dcvars->{SERVER_IP};
-        $ret->{DC_NETBIOSNAME} = $s3dcvars->{NETBIOSNAME};
-        $ret->{DC_USERNAME} = $s3dcvars->{USERNAME};
-        $ret->{DC_PASSWORD} = $s3dcvars->{PASSWORD};
+        $cmd .= "$net join $ret->{CONFIGURATION} $nt4_dc_vars->{DOMAIN} member";
+        $cmd .= " -U$nt4_dc_vars->{USERNAME}\%$nt4_dc_vars->{PASSWORD}";
+
+        if (system($cmd) != 0) {
+            warn("Join failed\n$cmd");
+            return undef;
+        }
+
+        if (not $self->check_or_start($ret, "yes", "yes", "yes")) {
+               return undef;
+        }
+
+        $ret->{DC_SERVER} = $nt4_dc_vars->{SERVER};
+        $ret->{DC_SERVER_IP} = $nt4_dc_vars->{SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $nt4_dc_vars->{SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $nt4_dc_vars->{NETBIOSNAME};
+        $ret->{DC_USERNAME} = $nt4_dc_vars->{USERNAME};
+        $ret->{DC_PASSWORD} = $nt4_dc_vars->{PASSWORD};
 
         return $ret;
 }
 
-sub setup_secshare($$)
+sub setup_admember($$$$)
+{
+        my ($self, $prefix, $dcvars) = @_;
+
+        # If we didn't build with ADS, pretend this env was never available
+        if (not $self->have_ads()) {
+                return "UNKNOWN";
+        }
+
+        print "PROVISIONING S3 AD MEMBER...";
+
+        my $member_options = "
+        security = ads
+        server signing = on
+        workgroup = $dcvars->{DOMAIN}
+        realm = $dcvars->{REALM}
+";
+
+        my $ret = $self->provision($prefix,
+                                   "LOCALADMEMBER",
+                                   "loCalMemberPass",
+                                   $member_options,
+                                   $dcvars->{SERVER_IP},
+                                   $dcvars->{SERVER_IPV6});
+
+        $ret or return undef;
+
+        close(USERMAP);
+        $ret->{DOMAIN} = $dcvars->{DOMAIN};
+        $ret->{REALM} = $dcvars->{REALM};
+
+        my $ctx;
+        my $prefix_abs = abs_path($prefix);
+        $ctx = {};
+        $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+        $ctx->{domain} = $dcvars->{DOMAIN};
+        $ctx->{realm} = $dcvars->{REALM};
+        $ctx->{dnsname} = lc($dcvars->{REALM});
+        $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+        $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+        Samba::mk_krb5_conf($ctx, "");
+
+        $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+        my $net = Samba::bindir_path($self, "net");
+        my $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+                $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
+        $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $cmd .= "$net join $ret->{CONFIGURATION}";
+        $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+        if (system($cmd) != 0) {
+            warn("Join failed\n$cmd");
+            return undef;
+        }
+
+        # We need world access to this share, as otherwise the domain
+        # administrator from the AD domain provided by Samba4 can't
+        # access the share for tests.
+        chmod 0777, "$prefix/share";
+
+        if (not $self->check_or_start($ret, "yes", "yes", "yes")) {
+                return undef;
+        }
+
+        $ret->{DC_SERVER} = $dcvars->{SERVER};
+        $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+        $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+        $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+        # Special case, this is called from Samba4.pm but needs to use the Samba3 check_env and get_log_env
+        $ret->{target} = $self;
+
+        return $ret;
+}
+
+sub setup_admember_rfc2307($$$$)
+{
+        my ($self, $prefix, $dcvars) = @_;
+
+        # If we didn't build with ADS, pretend this env was never available
+        if (not $self->have_ads()) {
+                return "UNKNOWN";
+        }
+
+        print "PROVISIONING S3 AD MEMBER WITH idmap_rfc2307 config...";
+
+        my $member_options = "
+        security = ads
+        server signing = on
+        workgroup = $dcvars->{DOMAIN}
+        realm = $dcvars->{REALM}
+        idmap config $dcvars->{DOMAIN} : backend = rfc2307
+        idmap config $dcvars->{DOMAIN} : range = 2000000-2999999
+        idmap config $dcvars->{DOMAIN} : ldap_server = ad
+        idmap config $dcvars->{DOMAIN} : bind_path_user = ou=idmap,dc=samba,dc=example,dc=com
+        idmap config $dcvars->{DOMAIN} : bind_path_group = ou=idmap,dc=samba,dc=example,dc=com
+";
+
+        my $ret = $self->provision($prefix,
+                                   "RFC2307MEMBER",
+                                   "loCalMemberPass",
+                                   $member_options,
+                                   $dcvars->{SERVER_IP},
+                                   $dcvars->{SERVER_IPV6});
+
+        $ret or return undef;
+
+        close(USERMAP);
+        $ret->{DOMAIN} = $dcvars->{DOMAIN};
+        $ret->{REALM} = $dcvars->{REALM};
+
+        my $ctx;
+        my $prefix_abs = abs_path($prefix);
+        $ctx = {};
+        $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+        $ctx->{domain} = $dcvars->{DOMAIN};
+        $ctx->{realm} = $dcvars->{REALM};
+        $ctx->{dnsname} = lc($dcvars->{REALM});
+        $ctx->{kdc_ipv4} = $dcvars->{SERVER_IP};
+        $ctx->{kdc_ipv6} = $dcvars->{SERVER_IPV6};
+        Samba::mk_krb5_conf($ctx, "");
+
+        $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+        my $net = Samba::bindir_path($self, "net");
+        my $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+                $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
+        $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $cmd .= "$net join $ret->{CONFIGURATION}";
+        $cmd .= " -U$dcvars->{USERNAME}\%$dcvars->{PASSWORD}";
+
+        if (system($cmd) != 0) {
+            warn("Join failed\n$cmd");
+            return undef;
+        }
+
+        # We need world access to this share, as otherwise the domain
+        # administrator from the AD domain provided by Samba4 can't
+        # access the share for tests.
+        chmod 0777, "$prefix/share";
+
+        if (not $self->check_or_start($ret, "yes", "yes", "yes")) {
+                return undef;
+        }
+
+        $ret->{DC_SERVER} = $dcvars->{SERVER};
+        $ret->{DC_SERVER_IP} = $dcvars->{SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $dcvars->{SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $dcvars->{NETBIOSNAME};
+        $ret->{DC_USERNAME} = $dcvars->{USERNAME};
+        $ret->{DC_PASSWORD} = $dcvars->{PASSWORD};
+
+        # Special case, this is called from Samba4.pm but needs to use the Samba3 check_env and get_log_env
+        $ret->{target} = $self;
+
+        return $ret;
+}
+
+sub setup_simpleserver($$)
 {
         my ($self, $path) = @_;
 
-        print "PROVISIONING server with security=share...";
-
-        my $secshare_options = "
-        security = share
+        print "PROVISIONING simple server...";
+
+        my $prefix_abs = abs_path($path);
+
+        my $simpleserver_options = "
         lanman auth = yes
+        vfs objects = xattr_tdb streams_depot
+        change notify = no
+
+[vfs_aio_fork]
+        path = $prefix_abs/share
+        vfs objects = aio_fork
+        read only = no
+        vfs_aio_fork:erratic_testing_mode=yes
 ";
 
         my $vars = $self->provision($path,
                                     "LOCALSHARE4",
-                                    4,
                                     "local4pass",
-                                    $secshare_options);
-
-        $self->check_or_start($vars,
-                              ($ENV{SMBD_MAXTIME} or 2700),
-                               "yes", "no", "yes");
-
-        $self->wait_for_start($vars);
-
-        $self->{vars}->{secshare} = $vars;
+                                    $simpleserver_options);
+
+        $vars or return undef;
+
+        if (not $self->check_or_start($vars, "yes", "no", "yes")) {
+               return undef;
+        }
+
+        $self->{vars}->{simpleserver} = $vars;
 
         return $vars;
 }
 
-sub setup_secserver($$$)
+sub setup_fileserver($$)
 {
-        my ($self, $prefix, $s3dcvars) = @_;
-
-        print "PROVISIONING server with security=server...";
-
-        my $secserver_options = "
-        security = server
-        password server = $s3dcvars->{SERVER_IP}
-        client ntlmv2 auth = no
+        my ($self, $path) = @_;
+        my $prefix_abs = abs_path($path);
+        my $srcdir_abs = abs_path($self->{srcdir});
+
+        print "PROVISIONING file server ...\n";
+
+        my @dirs = ();
+
+        mkdir($prefix_abs, 0777);
+
+        my $share_dir="$prefix_abs/share";
+
+        # Create share directory structure
+        my $lower_case_share_dir="$share_dir/lower-case";
+        push(@dirs, $lower_case_share_dir);
+
+        my $lower_case_share_dir_30000="$share_dir/lower-case-30000";
+        push(@dirs, $lower_case_share_dir_30000);
+
+        my $dfree_share_dir="$share_dir/dfree";
+        push(@dirs, $dfree_share_dir);
+        push(@dirs, "$dfree_share_dir/subdir1");
+        push(@dirs, "$dfree_share_dir/subdir2");
+
+        my $valid_users_sharedir="$share_dir/valid_users";
+        push(@dirs,$valid_users_sharedir);
+
+        my $offline_sharedir="$share_dir/offline";
+        push(@dirs,$offline_sharedir);
+
+        my $force_user_valid_users_dir = "$share_dir/force_user_valid_users";
+        push(@dirs, $force_user_valid_users_dir);
+
+        my $smbget_sharedir="$share_dir/smbget";
+        push(@dirs,$smbget_sharedir);
+
+        my $fileserver_options = "
+[lowercase]
+        path = $lower_case_share_dir
+        comment = smb username is [%U]
+        case sensitive = True
+        default case = lower
+        preserve case = no
+        short preserve case = no
+[lowercase-30000]
+        path = $lower_case_share_dir_30000
+        comment = smb username is [%U]
+        case sensitive = True
+        default case = lower
+        preserve case = no
+        short preserve case = no
+[dfree]
+        path = $dfree_share_dir
+        comment = smb username is [%U]
+        dfree command = $srcdir_abs/testprogs/blackbox/dfree.sh
+[valid-users-access]
+        path = $valid_users_sharedir
+        valid users = +userdup
+[offline]
+        path = $offline_sharedir
+        vfs objects = offline
+
+# BUG: https://bugzilla.samba.org/show_bug.cgi?id=9878
+# RH BUG: https://bugzilla.redhat.com/show_bug.cgi?id=1077651
+[force_user_valid_users]
+        path = $force_user_valid_users_dir
+        comment = force user with valid users combination test share
+        valid users = +force_user
+        force user = force_user
+        force group = everyone
+        write list = force_user
+
+[smbget]
+        path = $smbget_sharedir
+        comment = smb username is [%U]
+        guest ok = yes
 ";
 
+        my $vars = $self->provision($path,
+                                    "FILESERVER",
+                                    "fileserver",
+                                    $fileserver_options,
+                                    undef,
+                                    undef,
+                                    1);
+
+        $vars or return undef;
+
+        if (not $self->check_or_start($vars, "yes", "no", "yes")) {
+               return undef;
+        }
+
+        $self->{vars}->{fileserver} = $vars;
+
+        mkdir($_, 0777) foreach(@dirs);
+
+        ## Create case sensitive lower case share dir
+        foreach my $file ('a'..'z') {
+                my $full_path = $lower_case_share_dir . '/' . $file;
+                open my $fh, '>', $full_path;
+                # Add some content to file
+                print $fh $full_path;
+                close $fh;
+        }
+
+        for (my $file = 1; $file < 51; ++$file) {
+                my $full_path = $lower_case_share_dir . '/' . $file;
+                open my $fh, '>', $full_path;
+                # Add some content to file
+                print $fh $full_path;
+                close $fh;
+        }
+
+        # Create content for 30000 share
+        foreach my $file ('a'..'z') {
+                my $full_path = $lower_case_share_dir_30000 . '/' . $file;
+                open my $fh, '>', $full_path;
+                # Add some content to file
+                print $fh $full_path;
+                close $fh;
+        }
+
+        for (my $file = 1; $file < 30001; ++$file) {
+                my $full_path = $lower_case_share_dir_30000 . '/' . $file;
+                open my $fh, '>', $full_path;
+                # Add some content to file
+                print $fh $full_path;
+                close $fh;
+        }
+
+        ##
+        ## create a listable file in valid_users_share
+        ##
+        my $valid_users_target = "$valid_users_sharedir/foo";
+        unless (open(VALID_USERS_TARGET, ">$valid_users_target")) {
+                warn("Unable to open $valid_users_target");
+                return undef;
+        }
+        close(VALID_USERS_TARGET);
+        chmod 0644, $valid_users_target;
+
+        return $vars;
+}
+
+sub setup_ktest($$$)
+{
+        my ($self, $prefix) = @_;
+
+        # If we didn't build with ADS, pretend this env was never available
+        if (not $self->have_ads()) {
+                return "UNKNOWN";
+        }
+
+        print "PROVISIONING server with security=ads...";
+
+        my $ktest_options = "
+        workgroup = KTEST
+        realm = ktest.samba.example.com
+        security = ads
+        username map = $prefix/lib/username.map
+        server signing = required
+";
+
         my $ret = $self->provision($prefix,
-                                   "LOCALSERVER5",
-                                   5,
-                                   "localserver5pass",
-                                   $secserver_options);
-
-        $ret or die("Unable to provision");
-
-        $self->check_or_start($ret,
-                              ($ENV{SMBD_MAXTIME} or 2700),
-                               "yes", "no", "yes");
-
-        $self->wait_for_start($ret);
-
-        $ret->{DC_SERVER} = $s3dcvars->{SERVER};
-        $ret->{DC_SERVER_IP} = $s3dcvars->{SERVER_IP};
-        $ret->{DC_NETBIOSNAME} = $s3dcvars->{NETBIOSNAME};
-        $ret->{DC_USERNAME} = $s3dcvars->{USERNAME};
-        $ret->{DC_PASSWORD} = $s3dcvars->{PASSWORD};
-
+                                   "LOCALKTEST6",
+                                   "localktest6pass",
+                                   $ktest_options);
+
+        $ret or return undef;
+
+        my $ctx;
+        my $prefix_abs = abs_path($prefix);
+        $ctx = {};
+        $ctx->{krb5_conf} = "$prefix_abs/lib/krb5.conf";
+        $ctx->{domain} = "KTEST";
+        $ctx->{realm} = "KTEST.SAMBA.EXAMPLE.COM";
+        $ctx->{dnsname} = lc($ctx->{realm});
+        $ctx->{kdc_ipv4} = "0.0.0.0";
+        $ctx->{kdc_ipv6} = "::";
+        Samba::mk_krb5_conf($ctx, "");
+
+        $ret->{KRB5_CONFIG} = $ctx->{krb5_conf};
+
+        open(USERMAP, ">$prefix/lib/username.map") or die("Unable to open $prefix/lib/username.map");
+        print USERMAP "
+$ret->{USERNAME} = KTEST\\Administrator
+";
+        close(USERMAP);
+
+#This is the secrets.tdb created by 'net ads join' from Samba3 to a
+#Samba4 DC with the same parameters as are being used here.  The
+#domain SID is S-1-5-21-1071277805-689288055-3486227160
+
+        system("cp $self->{srcdir}/source3/selftest/ktest-secrets.tdb $prefix/private/secrets.tdb");
+        chmod 0600, "$prefix/private/secrets.tdb";
+
+#Make sure there's no old ntdb file.
+        system("rm -f $prefix/private/secrets.ntdb");
+
+#This uses a pre-calculated krb5 credentials cache, obtained by running Samba4 with:
+# "--option=kdc:service ticket lifetime=239232" "--option=kdc:user ticket lifetime=239232" "--option=kdc:renewal lifetime=239232"
+#
+#and having in krb5.conf:
+# ticket_lifetime = 799718400
+# renew_lifetime = 799718400
+#
+# The commands for the -2 keytab where were:
+# kinit administrator@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/localktest6@KTEST.SAMBA.EXAMPLE.COM
+# kvno host/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+# kvno cifs/LOCALKTEST6@KTEST.SAMBA.EXAMPLE.COM
+#
+# and then for the -3 keytab, I did
+#
+# net changetrustpw; kdestroy and the same again.
+#
+# This creates a credential cache with a very long lifetime (2036 at
+# at 2011-04), and shows that running 'net changetrustpw' does not
+# break existing logins (for the secrets.tdb method at least).
+#
+
+        $ret->{KRB5_CCACHE}="FILE:$prefix/krb5_ccache";
+
+        system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-2 $prefix/krb5_ccache-2");
+        chmod 0600, "$prefix/krb5_ccache-2";
+
+        system("cp $self->{srcdir}/source3/selftest/ktest-krb5_ccache-3 $prefix/krb5_ccache-3");
+        chmod 0600, "$prefix/krb5_ccache-3";
+
+        # We need world access to this share, as otherwise the domain
+        # administrator from the AD domain provided by ktest can't
+        # access the share for tests.
+        chmod 0777, "$prefix/share";
+
+        if (not $self->check_or_start($ret, "yes", "no", "yes")) {
+               return undef;
+        }
         return $ret;
+}
+
+sub setup_maptoguest($$)
+{
+        my ($self, $path) = @_;
+
+        print "PROVISIONING maptoguest...";
+
+        my $options = "
+map to guest = bad user
+";
+
+        my $vars = $self->provision($path,
+                                    "maptoguest",
+                                    "maptoguestpass",
+                                    $options);
+
+        $vars or return undef;
+
+        if (not $self->check_or_start($vars, "yes", "no", "yes")) {
+               return undef;
+        }
+
+        $self->{vars}->{s3maptoguest} = $vars;
+
+        return $vars;
 }
 
@@ -288 +868 @@
 
 sub check_or_start($$$$$) {
-        my ($self, $env_vars, $maxtime, $nmbd, $winbindd, $smbd) = @_;
+        my ($self, $env_vars, $nmbd, $winbindd, $smbd) = @_;
+
+        # use a pipe for stdin in the child processes. This allows
+        # those processes to monitor the pipe for EOF to ensure they
+        # exit when the test script exits
+        pipe(STDIN_READER, $env_vars->{STDIN_PIPE});
 
         unlink($env_vars->{NMBD_TEST_LOG});
@@ -299 +884 @@
                 SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
 
-                $ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
+                $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
+                $ENV{SELFTEST_WINBINDD_SOCKET_DIR} = $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
                 $ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
 
                 $ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD};
                 $ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP};
-                $ENV{NSS_WRAPPER_WINBIND_SO_PATH} = $env_vars->{NSS_WRAPPER_WINBIND_SO_PATH};
+                $ENV{NSS_WRAPPER_HOSTS} = $env_vars->{NSS_WRAPPER_HOSTS};
+                $ENV{NSS_WRAPPER_HOSTNAME} = $env_vars->{NSS_WRAPPER_HOSTNAME};
+                $ENV{NSS_WRAPPER_MODULE_SO_PATH} = $env_vars->{NSS_WRAPPER_MODULE_SO_PATH};
+                $ENV{NSS_WRAPPER_MODULE_FN_PREFIX} = $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX};
+                $ENV{UID_WRAPPER_ROOT} = "1";
+
+                $ENV{ENVNAME} = "$ENV{ENVNAME}.nmbd";
 
                 if ($nmbd ne "yes") {
@@ -312 +904 @@
                                 exit 0;
                         };
-                        sleep($maxtime);
+                        sleep($self->{server_maxtime});
                         exit 0;
                 }
 
+                $ENV{MAKE_TEST_BINARY} = Samba::bindir_path($self, "nmbd");
                 my @optargs = ("-d0");
                 if (defined($ENV{NMBD_OPTIONS})) {
                         @optargs = split(/ /, $ENV{NMBD_OPTIONS});
                 }
-
-                $ENV{MAKE_TEST_BINARY} = $self->binpath("nmbd");
-
-                my @preargs = ($self->binpath("timelimit"), $maxtime);
+                my @preargs = (Samba::bindir_path($self, "timelimit"), $self->{server_maxtime});
                 if(defined($ENV{NMBD_VALGRIND})) { 
                         @preargs = split(/ /, $ENV{NMBD_VALGRIND});
                 }
-
-                exec(@preargs, $self->binpath("nmbd"), "-F", "--no-process-group", "-S", "-s", $env_vars->{SERVERCONFFILE}, @optargs) or die("Unable to start nmbd: $!");
-        }
+                my @args = ("-F", "--no-process-group",
+                            "-s", $env_vars->{SERVERCONFFILE},
+                            "-l", $env_vars->{LOGDIR});
+                if (not defined($ENV{NMBD_DONT_LOG_STDOUT})) {
+                        push(@args, "--log-stdout");
+                }
+
+                close($env_vars->{STDIN_PIPE});
+                open STDIN, ">&", \*STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+
+                exec(@preargs, $ENV{MAKE_TEST_BINARY}, @args, @optargs)
+                        or die("Unable to start $ENV{MAKE_TEST_BINARY}: $!");
+        }
+        $env_vars->{NMBD_TL_PID} = $pid;
         write_pid($env_vars, "nmbd", $pid);
         print "DONE\n";
@@ -342 +943 @@
                 SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
 
-                $ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
+                $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
+                $ENV{SELFTEST_WINBINDD_SOCKET_DIR} = $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
                 $ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
 
                 $ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD};
                 $ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP};
-                $ENV{NSS_WRAPPER_WINBIND_SO_PATH} = $env_vars->{NSS_WRAPPER_WINBIND_SO_PATH};
+                $ENV{NSS_WRAPPER_HOSTS} = $env_vars->{NSS_WRAPPER_HOSTS};
+                $ENV{NSS_WRAPPER_HOSTNAME} = $env_vars->{NSS_WRAPPER_HOSTNAME};
+                $ENV{NSS_WRAPPER_MODULE_SO_PATH} = $env_vars->{NSS_WRAPPER_MODULE_SO_PATH};
+                $ENV{NSS_WRAPPER_MODULE_FN_PREFIX} = $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX};
+                if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
+                        $ENV{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
+                } else {
+                        $ENV{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
+                }
+                $ENV{UID_WRAPPER_ROOT} = "1";
+
+                $ENV{ENVNAME} = "$ENV{ENVNAME}.winbindd";
 
                 if ($winbindd ne "yes") {
@@ -355 +968 @@
                                 exit 0;
                         };
-                        sleep($maxtime);
+                        sleep($self->{server_maxtime});
                         exit 0;
                 }
 
+                $ENV{MAKE_TEST_BINARY} = Samba::bindir_path($self, "winbindd");
                 my @optargs = ("-d0");
                 if (defined($ENV{WINBINDD_OPTIONS})) {
                         @optargs = split(/ /, $ENV{WINBINDD_OPTIONS});
                 }
-
-                $ENV{MAKE_TEST_BINARY} = $self->binpath("winbindd");
-
-                my @preargs = ($self->binpath("timelimit"), $maxtime);
+                my @preargs = (Samba::bindir_path($self, "timelimit"), $self->{server_maxtime});
                 if(defined($ENV{WINBINDD_VALGRIND})) {
                         @preargs = split(/ /, $ENV{WINBINDD_VALGRIND});
                 }
-
-                exec(@preargs, $self->binpath("winbindd"), "-F", "--no-process-group", "-s", $env_vars->{SERVERCONFFILE}, @optargs) or die("Unable to start winbindd: $!");
-        }
+                my @args = ("-F", "--no-process-group",
+                            "-s", $env_vars->{SERVERCONFFILE},
+                            "-l", $env_vars->{LOGDIR});
+                if (not defined($ENV{WINBINDD_DONT_LOG_STDOUT})) {
+                        push(@args, "--stdout");
+                }
+
+                close($env_vars->{STDIN_PIPE});
+                open STDIN, ">&", \*STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+
+                exec(@preargs, $ENV{MAKE_TEST_BINARY}, @args, @optargs)
+                        or die("Unable to start $ENV{MAKE_TEST_BINARY}: $!");
+        }
+        $env_vars->{WINBINDD_TL_PID} = $pid;
         write_pid($env_vars, "winbindd", $pid);
         print "DONE\n";
@@ -385 +1007 @@
                 SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
 
-                $ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
+                $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
+                $ENV{SELFTEST_WINBINDD_SOCKET_DIR} = $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
                 $ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
 
                 $ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD};
                 $ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP};
-                $ENV{NSS_WRAPPER_WINBIND_SO_PATH} = $env_vars->{NSS_WRAPPER_WINBIND_SO_PATH};
+                $ENV{NSS_WRAPPER_HOSTS} = $env_vars->{NSS_WRAPPER_HOSTS};
+                $ENV{NSS_WRAPPER_HOSTNAME} = $env_vars->{NSS_WRAPPER_HOSTNAME};
+                $ENV{NSS_WRAPPER_MODULE_SO_PATH} = $env_vars->{NSS_WRAPPER_MODULE_SO_PATH};
+                $ENV{NSS_WRAPPER_MODULE_FN_PREFIX} = $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX};
+                if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
+                        $ENV{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
+                } else {
+                        $ENV{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
+                }
+                $ENV{UID_WRAPPER_ROOT} = "1";
+
+                $ENV{ENVNAME} = "$ENV{ENVNAME}.smbd";
 
                 if ($smbd ne "yes") {
@@ -398 +1032 @@
                                 exit 0;
                         };
-                        sleep($maxtime);
+                        sleep($self->{server_maxtime});
                         exit 0;
                 }
 
-                $ENV{MAKE_TEST_BINARY} = $self->binpath("smbd");
+                $ENV{MAKE_TEST_BINARY} = Samba::bindir_path($self, "smbd");
                 my @optargs = ("-d0");
                 if (defined($ENV{SMBD_OPTIONS})) {
                         @optargs = split(/ /, $ENV{SMBD_OPTIONS});
                 }
-                my @preargs = ($self->binpath("timelimit"), $maxtime);
+                my @preargs = (Samba::bindir_path($self, "timelimit"), $self->{server_maxtime});
                 if(defined($ENV{SMBD_VALGRIND})) {
                         @preargs = split(/ /,$ENV{SMBD_VALGRIND});
                 }
-                exec(@preargs, $self->binpath("smbd"), "-F", "--no-process-group", "-s", $env_vars->{SERVERCONFFILE}, @optargs) or die("Unable to start smbd: $!");
-        }
+                my @args = ("-F", "--no-process-group",
+                            "-s", $env_vars->{SERVERCONFFILE},
+                            "-l", $env_vars->{LOGDIR});
+                if (not defined($ENV{SMBD_DONT_LOG_STDOUT})) {
+                        push(@args, "--log-stdout");
+                }
+
+                close($env_vars->{STDIN_PIPE});
+                open STDIN, ">&", \*STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+
+                exec(@preargs, $ENV{MAKE_TEST_BINARY}, @args, @optargs)
+                        or die("Unable to start $ENV{MAKE_TEST_BINARY}: $!");
+        }
+        $env_vars->{SMBD_TL_PID} = $pid;
         write_pid($env_vars, "smbd", $pid);
         print "DONE\n";
 
-        return 0;
-}
-
-sub provision($$$$$$)
+        close(STDIN_READER);
+
+        return $self->wait_for_start($env_vars, $nmbd, $winbindd, $smbd);
+}
+
+sub createuser($$$$)
 {
-        my ($self, $prefix, $server, $swiface, $password, $extra_options) = @_;
+        my ($self, $username, $password, $conffile) = @_;
+        my $cmd = "UID_WRAPPER_ROOT=1 " . Samba::bindir_path($self, "smbpasswd")." -c $conffile -L -s -a $username > /dev/null";
+        unless (open(PWD, "|$cmd")) {
+            warn("Unable to set password for $username account\n$cmd");
+            return undef;
+        }
+        print PWD "$password\n$password\n";
+        unless (close(PWD)) {
+            warn("Unable to set password for $username account\n$cmd");
+            return undef;
+        }
+        print "DONE\n";
+}
+
+sub provision($$$$$$$$)
+{
+        my ($self, $prefix, $server, $password, $extra_options, $dc_server_ip, $dc_server_ipv6, $no_delete_prefix) = @_;
 
         ##
@@ -427 +1091 @@
         ##
 
+        my $swiface = Samba::get_interface($server);
         my %ret = ();
         my $server_ip = "127.0.0.$swiface";
+        my $server_ipv6 = sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
         my $domain = "SAMBA-TEST";
 
@@ -439 +1105 @@
         my $prefix_abs = abs_path($prefix);
         my $bindir_abs = abs_path($self->{bindir});
-        my $vfs_modulesdir_abs = ($ENV{VFSLIBDIR} or $bindir_abs);
 
         my @dirs = ();
@@ -481 +1146 @@
         my $msdfs_deeppath="$msdfs_shrdir/deeppath";
         push(@dirs,$msdfs_deeppath);
+
+        my $badnames_shrdir="$shrdir/badnames";
+        push(@dirs,$badnames_shrdir);
+
+        my $lease1_shrdir="$shrdir/SMB2_10";
+        push(@dirs,$lease1_shrdir);
+
+        my $lease2_shrdir="$shrdir/SMB3_00";
+        push(@dirs,$lease2_shrdir);
+
+        my $manglenames_shrdir="$shrdir/manglenames";
+        push(@dirs,$manglenames_shrdir);
+
+        my $widelinks_shrdir="$shrdir/widelinks";
+        push(@dirs,$widelinks_shrdir);
+
+        my $widelinks_linkdir="$shrdir/widelinks_foo";
+        push(@dirs,$widelinks_linkdir);
+
+        my $shadow_tstdir="$shrdir/shadow";
+        push(@dirs,$shadow_tstdir);
+        my $shadow_mntdir="$shadow_tstdir/mount";
+        push(@dirs,$shadow_mntdir);
+        my $shadow_basedir="$shadow_mntdir/base";
+        push(@dirs,$shadow_basedir);
+        my $shadow_shrdir="$shadow_basedir/share";
+        push(@dirs,$shadow_shrdir);
 
         # this gets autocreated by winbindd
@@ -497 +1189 @@
         mkdir($prefix_abs, 0777);
         print "CREATE TEST ENVIRONMENT IN '$prefix'...";
-        system("rm -rf $prefix_abs/*");
+        if (not defined($no_delete_prefix) or not $no_delete_prefix) {
+            system("rm -rf $prefix_abs/*");
+        }
         mkdir($_, 0777) foreach(@dirs);
+
+        my $fs_specific_conf = $self->get_fs_specific_conf($shrdir);
+
+        ##
+        ## lockdir and piddir must be 0755
+        ##
+        chmod 0755, $lockdir;
+        chmod 0755, $piddir;
+
 
         ##
@@ -506 +1209 @@
         chmod 0755, $ro_shrdir;
         my $unreadable_file = "$ro_shrdir/unreadable_file";
-        open(UNREADABLE_FILE, ">$unreadable_file") or die("Unable to open $unreadable_file");
+        unless (open(UNREADABLE_FILE, ">$unreadable_file")) {
+                warn("Unable to open $unreadable_file");
+                return undef;
+        }
         close(UNREADABLE_FILE);
         chmod 0600, $unreadable_file;
 
         my $msdfs_target = "$ro_shrdir/msdfs-target";
-        open(MSDFS_TARGET, ">$msdfs_target") or die("Unable to open $msdfs_target");
+        unless (open(MSDFS_TARGET, ">$msdfs_target")) {
+                warn("Unable to open $msdfs_target");
+                return undef;
+        }
         close(MSDFS_TARGET);
         chmod 0666, $msdfs_target;
-        symlink "msdfs:$server_ip\\ro-tmp", "$msdfs_shrdir/msdfs-src1";
-        symlink "msdfs:$server_ip\\ro-tmp", "$msdfs_shrdir/deeppath/msdfs-src2";
+        symlink "msdfs:$server_ip\\ro-tmp,$server_ipv6\\ro-tmp",
+                "$msdfs_shrdir/msdfs-src1";
+        symlink "msdfs:$server_ipv6\\ro-tmp", "$msdfs_shrdir/deeppath/msdfs-src2";
+
+        ##
+        ## create bad names in $badnames_shrdir
+        ##
+        ## (An invalid name, would be mangled to 8.3).
+        my $badname_target = "$badnames_shrdir/\340|\231\216\377\177";
+        unless (open(BADNAME_TARGET, ">$badname_target")) {
+                warn("Unable to open $badname_target");
+                return undef;
+        }
+        close(BADNAME_TARGET);
+        chmod 0666, $badname_target;
+
+        ## (A bad name, would not be mangled to 8.3).
+        my $badname_target = "$badnames_shrdir/\240\276\346\327\377\177";
+        unless (open(BADNAME_TARGET, ">$badname_target")) {
+                warn("Unable to open $badname_target");
+                return undef;
+        }
+        close(BADNAME_TARGET);
+        chmod 0666, $badname_target;
+
+        ## (A bad good name).
+        my $badname_target = "$badnames_shrdir/blank.txt";
+        unless (open(BADNAME_TARGET, ">$badname_target")) {
+                warn("Unable to open $badname_target");
+                return undef;
+        }
+        close(BADNAME_TARGET);
+        chmod 0666, $badname_target;
+
+        ##
+        ## create mangleable directory names in $manglenames_shrdir
+        ##
+        my $manglename_target = "$manglenames_shrdir/foo:bar";
+        mkdir($manglename_target, 0777);
+
+        ##
+        ## create symlinks for widelinks tests.
+        ##
+        my $widelinks_target = "$widelinks_linkdir/target";
+        unless (open(WIDELINKS_TARGET, ">$widelinks_target")) {
+                warn("Unable to open $widelinks_target");
+                return undef;
+        }
+        close(WIDELINKS_TARGET);
+        chmod 0666, $widelinks_target;
+        ##
+        ## This link should get ACCESS_DENIED
+        ##
+        symlink "$widelinks_target", "$widelinks_shrdir/source";
+        ##
+        ## This link should be allowed
+        ##
+        symlink "$widelinks_shrdir", "$widelinks_shrdir/dot";
 
         my $conffile="$libdir/server.conf";
+        my $dfqconffile="$libdir/dfq.conf";
 
         my $nss_wrapper_pl = "$ENV{PERL} $self->{srcdir}/lib/nss_wrapper/nss_wrapper.pl";
         my $nss_wrapper_passwd = "$privatedir/passwd";
         my $nss_wrapper_group = "$privatedir/group";
+        my $nss_wrapper_hosts = "$ENV{SELFTEST_PREFIX}/hosts";
+        my $resolv_conf = "$privatedir/resolv.conf";
+        my $dns_host_file = "$ENV{SELFTEST_PREFIX}/dns_host_file";
 
         my $mod_printer_pl = "$ENV{PERL} $self->{srcdir}/source3/script/tests/printing/modprinter.pl";
 
+        my $fake_snap_pl = "$ENV{PERL} $self->{srcdir}/source3/script/tests/fake_snap.pl";
+
         my @eventlog_list = ("dns server", "application");
 
@@ -532 +1303 @@
 
         my ($max_uid, $max_gid);
-        my ($uid_nobody, $uid_root);
-        my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers);
-
-        if ($unix_uid < 0xffff - 2) {
+        my ($uid_nobody, $uid_root, $uid_pdbtest, $uid_pdbtest2, $uid_userdup);
+        my ($uid_pdbtest_wkn);
+        my ($uid_smbget);
+        my ($uid_force_user);
+        my ($gid_nobody, $gid_nogroup, $gid_root, $gid_domusers, $gid_domadmins);
+        my ($gid_userdup, $gid_everyone);
+        my ($gid_force_user);
+
+        if ($unix_uid < 0xffff - 7) {
                 $max_uid = 0xffff;
         } else {
@@ -543 +1319 @@
         $uid_root = $max_uid - 1;
         $uid_nobody = $max_uid - 2;
-
-        if ($unix_gids[0] < 0xffff - 3) {
+        $uid_pdbtest = $max_uid - 3;
+        $uid_pdbtest2 = $max_uid - 4;
+        $uid_userdup = $max_uid - 5;
+        $uid_pdbtest_wkn = $max_uid - 6;
+        $uid_force_user = $max_uid - 7;
+        $uid_smbget = $max_uid - 8;
+
+        if ($unix_gids[0] < 0xffff - 8) {
                 $max_gid = 0xffff;
         } else {
@@ -554 +1336 @@
         $gid_root = $max_gid - 3;
         $gid_domusers = $max_gid - 4;
+        $gid_domadmins = $max_gid - 5;
+        $gid_userdup = $max_gid - 6;
+        $gid_everyone = $max_gid - 7;
+        $gid_force_user = $max_gid - 8;
 
         ##
@@ -559 +1345 @@
         ##
 
-        open(CONF, ">$conffile") or die("Unable to open $conffile");
+        unless (open(CONF, ">$conffile")) {
+                warn("Unable to open $conffile");
+                return undef;
+        }
         print CONF "
 [global]
         netbios name = $server
-        interfaces = $server_ip/8
+        interfaces = $server_ip/8 $server_ipv6/64
         bind interfaces only = yes
-        panic action = $self->{srcdir}/selftest/gdb_backtrace %d %\$(MAKE_TEST_BINARY)
+        panic action = cd $self->{srcdir} && $self->{srcdir}/selftest/gdb_backtrace %d %\$(MAKE_TEST_BINARY)
+        smbd:suicide mode = yes
 
         workgroup = $domain
@@ -573 +1363 @@
         lock directory = $lockdir
         log file = $logdir/log.\%m
-        log level = 0
+        log level = 1
         debug pid = yes
-
-        name resolve order = bcast
+        max log size = 0
 
         state directory = $lockdir
@@ -600 +1389 @@
         kernel oplocks = no
         kernel change notify = no
-
-        syslog = no
+        smb2 leases = yes
+
+        logging = file
         printing = bsd
         printcap name = /dev/null
 
-        winbindd:socket dir = $wbsockdir
+        winbindd socket directory = $wbsockdir
         nmbd:socket dir = $nmbdsockdir
         idmap config * : range = 100000-200000
         winbind enum users = yes
         winbind enum groups = yes
+        winbind separator = /
 
 #       min receivefile size = 4000
 
-        max protocol = SMB2
         read only = no
         server signing = auto
 
         smbd:sharedelay = 100000
-#       smbd:writetimeupdatedelay = 500000
+        smbd:writetimeupdatedelay = 500000
         map hidden = no
         map system = no
@@ -624 +1414 @@
         store dos attributes = yes
         create mask = 755
-        vfs objects = $vfs_modulesdir_abs/xattr_tdb.so $vfs_modulesdir_abs/streams_depot.so
+        dos filemode = yes
+        strict rename = yes
+        strict sync = yes
+        vfs objects = acl_xattr fake_acls xattr_tdb streams_depot
 
         printing = vlp
@@ -635 +1428 @@
         queue resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queueresume %p
         lpq cache time = 0
-
-        ncalrpc dir = $lockdir/ncalrpc
-        rpc_server:epmapper = embedded
+        print notify backchannel = yes
+
+        ncalrpc dir = $prefix_abs/ncalrpc
+
+        # The samba3.blackbox.smbclient_s3 test uses this to test that
+        # sending messages works, and that the %m sub works.
+        message command = mv %s $shrdir/message.%m
+
+        # fsrvp server requires registry shares
+        registry shares = yes
+
+        # Used by RPC SRVSVC tests
+        add share command = $bindir_abs/smbaddshare
+        change share command = $bindir_abs/smbchangeshare
+        delete share command = $bindir_abs/smbdeleteshare
+
+        # fruit:copyfile is a global option
+        fruit:copyfile = yes
+
+        #this does not mean that we use non-secure test env,
+        #it just means we ALLOW one to be configured.
+        allow insecure wide links = yes
 
         # Begin extra options
@@ -653 +1465 @@
 [tmp]
         path = $shrdir
-        comment = smb username is [%U]
-        vfs objects = $vfs_modulesdir_abs/dirsort.so
+        comment = smb username is [%U]
+[tmpsort]
+        path = $shrdir
+        comment = Load dirsort module
+        vfs objects = dirsort acl_xattr fake_acls xattr_tdb streams_depot
+[tmpenc]
+        path = $shrdir
+        comment = encrypt smb username is [%U]
+        smb encrypt = required
+        vfs objects = dirsort
 [tmpguest]
         path = $shrdir
@@ -666 +1486 @@
         force user = $unix_name
         guest ok = yes
+[forceuser_unixonly]
+        comment = force a user with unix user SID and group SID
+        path = $shrdir
+        force user = pdbtest
+        guest ok = yes
+[forceuser_wkngroup]
+        comment = force a user with well-known group SID
+        path = $shrdir
+        force user = pdbtest_wkn
+        guest ok = yes
 [forcegroup]
         path = $shrdir
@@ -673 +1503 @@
         path = $ro_shrdir
         guest ok = yes
+[write-list-tmp]
+        path = $shrdir
+        read only = yes
+        write list = $unix_name
+[valid-users-tmp]
+        path = $shrdir
+        valid users = $unix_name
 [msdfs-share]
         path = $msdfs_shrdir
         msdfs root = yes
+        msdfs shuffle referrals = yes
         guest ok = yes
 [hideunread]
@@ -686 +1524 @@
         copy = tmp
         hide unwriteable files = yes
+[durable]
+        copy = tmp
+        kernel share modes = no
+        kernel oplocks = no
+        posix locking = no
+[fs_specific]
+        copy = tmp
+        $fs_specific_conf
 [print1]
         copy = tmp
@@ -694 +1540 @@
 [print3]
         copy = print1
+        default devmode = no
 [lp]
         copy = print1
+
+[nfs4acl_simple]
+        path = $shrdir
+        comment = smb username is [%U]
+        nfs4:mode = simple
+        vfs objects = nfs4acl_xattr xattr_tdb
+
+[nfs4acl_special]
+        path = $shrdir
+        comment = smb username is [%U]
+        nfs4:mode = special
+        vfs objects = nfs4acl_xattr xattr_tdb
+
+[xcopy_share]
+        path = $shrdir
+        comment = smb username is [%U]
+        create mask = 777
+        force create mode = 777
+[posix_share]
+        path = $shrdir
+        comment = smb username is [%U]
+        create mask = 0777
+        force create mode = 0
+        directory mask = 0777
+        force directory mode = 0
+        vfs objects = xattr_tdb
+[aio]
+        copy = tmp
+        aio read size = 1
+        aio write size = 1
+
 [print\$]
         copy = tmp
+
+[vfs_fruit]
+        path = $shrdir
+        vfs objects = catia fruit streams_xattr acl_xattr
+        ea support = yes
+        fruit:ressource = file
+        fruit:metadata = netatalk
+        fruit:locking = netatalk
+        fruit:encoding = native
+
+[badname-tmp]
+        path = $badnames_shrdir
+        guest ok = yes
+
+[manglenames_share]
+        path = $manglenames_shrdir
+        guest ok = yes
+
+[dynamic_share]
+        path = $shrdir/%R
+        guest ok = yes
+
+[widelinks_share]
+        path = $widelinks_shrdir
+        wide links = no
+        guest ok = yes
+
+[fsrvp_share]
+        path = $shrdir
+        comment = fake shapshots using rsync
+        vfs objects = shell_snap shadow_copy2
+        shell_snap:check path command = $fake_snap_pl --check
+        shell_snap:create command = $fake_snap_pl --create
+        shell_snap:delete command = $fake_snap_pl --delete
+        # a relative path here fails, the snapshot dir is no longer found
+        shadow:snapdir = $shrdir/.snapshots
+
+[shadow1]
+        path = $shadow_shrdir
+        comment = previous versions snapshots under mount point
+        vfs objects = shadow_copy2
+        shadow:mountpoint = $shadow_mntdir
+
+[shadow2]
+        path = $shadow_shrdir
+        comment = previous versions snapshots outside mount point
+        vfs objects = shadow_copy2
+        shadow:mountpoint = $shadow_mntdir
+        shadow:snapdir = $shadow_tstdir/.snapshots
+
+[shadow3]
+        path = $shadow_shrdir
+        comment = previous versions with subvolume snapshots, snapshots under base dir
+        vfs objects = shadow_copy2
+        shadow:mountpoint = $shadow_mntdir
+        shadow:basedir = $shadow_basedir
+        shadow:snapdir = $shadow_basedir/.snapshots
+
+[shadow4]
+        path = $shadow_shrdir
+        comment = previous versions with subvolume snapshots, snapshots outside mount point
+        vfs objects = shadow_copy2
+        shadow:mountpoint = $shadow_mntdir
+        shadow:basedir = $shadow_basedir
+        shadow:snapdir = $shadow_tstdir/.snapshots
+
+[shadow5]
+        path = $shadow_shrdir
+        comment = previous versions at volume root snapshots under mount point
+        vfs objects = shadow_copy2
+        shadow:mountpoint = $shadow_shrdir
+
+[shadow6]
+        path = $shadow_shrdir
+        comment = previous versions at volume root snapshots outside mount point
+        vfs objects = shadow_copy2
+        shadow:mountpoint = $shadow_shrdir
+        shadow:snapdir = $shadow_tstdir/.snapshots
+
+[shadow7]
+        path = $shadow_shrdir
+        comment = previous versions snapshots everywhere
+        vfs objects = shadow_copy2
+        shadow:mountpoint = $shadow_mntdir
+        shadow:snapdirseverywhere = yes
+
+[shadow8]
+        path = $shadow_shrdir
+        comment = previous versions using snapsharepath
+        vfs objects = shadow_copy2
+        shadow:mountpoint = $shadow_mntdir
+        shadow:snapdir = $shadow_tstdir/.snapshots
+        shadow:snapsharepath = share
+
+[shadow_wl]
+        path = $shadow_shrdir
+        comment = previous versions with wide links allowed
+        vfs objects = shadow_copy2
+        shadow:mountpoint = $shadow_mntdir
+        wide links = yes
+[dfq]
+        path = $shrdir/dfree
+        vfs objects = fake_dfq
+        admin users = $unix_name
+        include = $dfqconffile
         ";
         close(CONF);
 
+        unless (open(DFQCONF, ">$dfqconffile")) {
+                warn("Unable to open $dfqconffile");
+                return undef;
+        }
+        close(DFQCONF);
+
         ##
         ## create a test account
         ##
 
-        open(PASSWD, ">$nss_wrapper_passwd") or die("Unable to open $nss_wrapper_passwd");
+        unless (open(PASSWD, ">$nss_wrapper_passwd")) {
+           warn("Unable to open $nss_wrapper_passwd");
+           return undef;
+        } 
         print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false
 $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false
+pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
+pdbtest2:x:$uid_pdbtest2:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false
+userdup:x:$uid_userdup:$gid_userdup:userdup gecos:$prefix_abs:/bin/false
+pdbtest_wkn:x:$uid_pdbtest_wkn:$gid_everyone:pdbtest_wkn gecos:$prefix_abs:/bin/false
+force_user:x:$uid_force_user:$gid_force_user:force user gecos:$prefix_abs:/bin/false
+smbget_user:x:$uid_smbget:$gid_domusers:smbget_user gecos:$prefix_abs:/bin/false
 ";
         if ($unix_uid != 0) {
-                print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false";
+                print PASSWD "root:x:$uid_root:$gid_root:root gecos:$prefix_abs:/bin/false
+";
         }
         close(PASSWD);
 
-        open(GROUP, ">$nss_wrapper_group") or die("Unable to open $nss_wrapper_group");
+        unless (open(GROUP, ">$nss_wrapper_group")) {
+             warn("Unable to open $nss_wrapper_group");
+             return undef;
+        }
         print GROUP "nobody:x:$gid_nobody:
 nogroup:x:$gid_nogroup:nobody
 $unix_name-group:x:$unix_gids[0]:
 domusers:X:$gid_domusers:
+domadmins:X:$gid_domadmins:
+userdup:x:$gid_userdup:$unix_name
+everyone:x:$gid_everyone:
+force_user:x:$gid_force_user:
 ";
         if ($unix_gids[0] != 0) {
-                print GROUP "root:x:$gid_root:";
+                print GROUP "root:x:$gid_root:
+";
         }
 
         close(GROUP);
+
+        ## hosts
+        my $hostname = lc($server);
+        unless (open(HOSTS, ">>$nss_wrapper_hosts")) {
+                warn("Unable to open $nss_wrapper_hosts");
+                return undef;
+        }
+        print HOSTS "${server_ip} ${hostname}.samba.example.com ${hostname}\n";
+        print HOSTS "${server_ipv6} ${hostname}.samba.example.com ${hostname}\n";
+        close(HOSTS);
+
+        ## hosts
+        unless (open(RESOLV_CONF, ">$resolv_conf")) {
+                warn("Unable to open $resolv_conf");
+                return undef;
+        }
+        if (defined($dc_server_ip) or defined($dc_server_ipv6)) {
+                if (defined($dc_server_ip)) {
+                        print RESOLV_CONF "nameserver $dc_server_ip\n";
+                }
+                if (defined($dc_server_ipv6)) {
+                        print RESOLV_CONF "nameserver $dc_server_ipv6\n";
+                }
+        } else {
+                print RESOLV_CONF "nameserver ${server_ip}\n";
+                print RESOLV_CONF "nameserver ${server_ipv6}\n";
+        }
+        close(RESOLV_CONF);
 
         foreach my $evlog (@eventlog_list) {
@@ -734 +1769 @@
         $ENV{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd;
         $ENV{NSS_WRAPPER_GROUP} = $nss_wrapper_group;
-
-        open(PWD, "|".$self->binpath("smbpasswd")." -c $conffile -L -s -a $unix_name >/dev/null");
-        print PWD "$password\n$password\n";
-        close(PWD) or die("Unable to set password for test account");
-
-        print "DONE\n";
+        $ENV{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts;
+        $ENV{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com";
+        if ($ENV{SAMBA_DNS_FAKING}) {
+                $ENV{RESOLV_WRAPPER_CONF} = $resolv_conf;
+        } else {
+                $ENV{RESOLV_WRAPPER_HOSTS} = $dns_host_file;
+        }
+
+        createuser($self, $unix_name, $password, $conffile) || die("Unable to create user");
+        createuser($self, "force_user", $password, $conffile) || die("Unable to create force_user");
+        createuser($self, "smbget_user", $password, $conffile) || die("Unable to create smbget_user");
+
+        open(DNS_UPDATE_LIST, ">$prefix/dns_update_list") or die("Unable to open $$prefix/dns_update_list");
+        print DNS_UPDATE_LIST "A $server. $server_ip\n";
+        print DNS_UPDATE_LIST "AAAA $server. $server_ipv6\n";
+        close(DNS_UPDATE_LIST);
 
         $ret{SERVER_IP} = $server_ip;
+        $ret{SERVER_IPV6} = $server_ipv6;
         $ret{NMBD_TEST_LOG} = "$prefix/nmbd_test.log";
         $ret{NMBD_TEST_LOG_POS} = 0;
@@ -757 +1803 @@
         $ret{PASSWORD} = $password;
         $ret{PIDDIR} = $piddir;
-        $ret{WINBINDD_SOCKET_DIR} = $wbsockdir;
+        $ret{SELFTEST_WINBINDD_SOCKET_DIR} = $wbsockdir;
         $ret{WINBINDD_PRIV_PIPE_DIR} = $wbsockprivdir;
         $ret{NMBD_SOCKET_DIR} = $nmbdsockdir;
@@ -763 +1809 @@
         $ret{NSS_WRAPPER_PASSWD} = $nss_wrapper_passwd;
         $ret{NSS_WRAPPER_GROUP} = $nss_wrapper_group;
-        $ret{NSS_WRAPPER_WINBIND_SO_PATH} = $ENV{NSS_WRAPPER_WINBIND_SO_PATH};
+        $ret{NSS_WRAPPER_HOSTS} = $nss_wrapper_hosts;
+        $ret{NSS_WRAPPER_HOSTNAME} = "${hostname}.samba.example.com";
+        $ret{NSS_WRAPPER_MODULE_SO_PATH} = Samba::nss_wrapper_winbind_so_path($self);
+        $ret{NSS_WRAPPER_MODULE_FN_PREFIX} = "winbind";
+        if ($ENV{SAMBA_DNS_FAKING}) {
+                $ret{RESOLV_WRAPPER_HOSTS} = $dns_host_file;
+        } else {
+                $ret{RESOLV_WRAPPER_CONF} = $resolv_conf;
+        }
         $ret{LOCAL_PATH} = "$shrdir";
+        $ret{LOGDIR} = $logdir;
+
+        #
+        # Avoid hitting system krb5.conf -
+        # An env that needs Kerberos will reset this to the real
+        # value.
+        #
+        $ret{KRB5_CONFIG} = abs_path($prefix) . "/no_krb5.conf";
 
         return \%ret;
 }
 
-sub wait_for_start($$)
+sub wait_for_start($$$$$)
 {
-        my ($self, $envvars) = @_;
-
-        # give time for nbt server to register its names
-        print "delaying for nbt name registration\n";
-        sleep(10);
-        # This will return quickly when things are up, but be slow if we need to wait for (eg) SSL init 
-        system($self->binpath("nmblookup") ." $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} __SAMBA__");
-        system($self->binpath("nmblookup") ." $envvars->{CONFIGURATION} __SAMBA__");
-        system($self->binpath("nmblookup") ." $envvars->{CONFIGURATION} -U 127.255.255.255 __SAMBA__");
-        system($self->binpath("nmblookup") ." $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} $envvars->{SERVER}");
-        system($self->binpath("nmblookup") ." $envvars->{CONFIGURATION} $envvars->{SERVER}");
-        # make sure smbd is also up set
-        print "wait for smbd\n";
-        system($self->binpath("smbclient") ." $envvars->{CONFIGURATION} -L $envvars->{SERVER_IP} -U% -p 139 | head -2");
-        system($self->binpath("smbclient") ." $envvars->{CONFIGURATION} -L $envvars->{SERVER_IP} -U% -p 139 | head -2");
+        my ($self, $envvars, $nmbd, $winbindd, $smbd) = @_;
+        my $ret;
+
+        if ($nmbd eq "yes") {
+                my $count = 0;
+
+                # give time for nbt server to register its names
+                print "checking for nmbd\n";
+
+                # This will return quickly when things are up, but be slow if we need to wait for (eg) SSL init
+                my $nmblookup = Samba::bindir_path($self, "nmblookup");
+
+                do {
+                        $ret = system("$nmblookup $envvars->{CONFIGURATION} $envvars->{SERVER}");
+                        if ($ret != 0) {
+                                sleep(1);
+                        } else {
+                                system("$nmblookup $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} __SAMBA__");
+                                system("$nmblookup $envvars->{CONFIGURATION} __SAMBA__");
+                                system("$nmblookup $envvars->{CONFIGURATION} -U 127.255.255.255 __SAMBA__");
+                                system("$nmblookup $envvars->{CONFIGURATION} -U $envvars->{SERVER_IP} $envvars->{SERVER}");
+                        }
+                        $count++;
+                } while ($ret != 0 && $count < 10);
+                if ($count == 10) {
+                        print "NMBD not reachable after 10 retries\n";
+                        teardown_env($self, $envvars);
+                        return 0;
+                }
+        }
+
+        if ($winbindd eq "yes") {
+            print "checking for winbindd\n";
+            my $count = 0;
+            do {
+                $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " --ping-dc");
+                if ($ret != 0) {
+                    sleep(2);
+                }
+                $count++;
+            } while ($ret != 0 && $count < 10);
+            if ($count == 10) {
+                print "WINBINDD not reachable after 20 seconds\n";
+                teardown_env($self, $envvars);
+                return 0;
+            }
+        }
+
+        if ($smbd eq "yes") {
+            # make sure smbd is also up set
+            print "wait for smbd\n";
+
+            my $count = 0;
+            do {
+                $ret = system(Samba::bindir_path($self, "smbclient") ." $envvars->{CONFIGURATION} -L $envvars->{SERVER} -U% -p 139");
+                if ($ret != 0) {
+                    sleep(2);
+                }
+                $count++
+            } while ($ret != 0 && $count < 10);
+            if ($count == 10) {
+                print "SMBD failed to start up in a reasonable time (20sec)\n";
+                teardown_env($self, $envvars);
+                return 0;
+            }
+        }
 
         # Ensure we have domain users mapped.
-        system($self->binpath("net") ." $envvars->{CONFIGURATION} groupmap add rid=513 unixgroup=domusers type=domain");
+        $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=513 unixgroup=domusers type=domain");
+        if ($ret != 0) {
+            return 1;
+        }
+        $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add rid=512 unixgroup=domadmins type=domain");
+        if ($ret != 0) {
+            return 1;
+        }
+        $ret = system(Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} groupmap add sid=S-1-1-0 unixgroup=everyone type=builtin");
+        if ($ret != 0) {
+            return 1;
+        }
+
+        if ($winbindd eq "yes") {
+            # note: creating builtin groups requires winbindd for the
+            # unix id allocator
+            $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "net") ." $envvars->{CONFIGURATION} sam createbuiltingroup Users");
+            if ($ret != 0) {
+                print "Failed to create BUILTIN\\Users group\n";
+                return 0;
+            }
+            my $count = 0;
+            do {
+                system(Samba::bindir_path($self, "net") . " $envvars->{CONFIGURATION} cache flush");
+                $ret = system("SELFTEST_WINBINDD_SOCKET_DIR=" . $envvars->{SELFTEST_WINBINDD_SOCKET_DIR} . " " . Samba::bindir_path($self, "wbinfo") . " --sid-to-gid=S-1-5-32-545");
+                if ($ret != 0) {
+                    sleep(2);
+                }
+                $count++;
+            } while ($ret != 0 && $count < 10);
+            if ($count == 10) {
+                print "WINBINDD not reachable after 20 seconds\n";
+                teardown_env($self, $envvars);
+                return 0;
+            }
+        }
 
         print $self->getlog_env($envvars);
+
+        return 1;
 }
 

vendor/current/selftest/target/Samba4.pm

@@ -11 +11 @@
 use POSIX;
 use SocketWrapper;
+use target::Samba;
+use target::Samba3;
 
 sub new($$$$$) {
-        my ($classname, $bindir, $ldap, $srcdir, $exeext) = @_;
-        $exeext = "" unless defined($exeext);
+        my ($classname, $bindir, $ldap, $srcdir, $server_maxtime) = @_;
+
         my $self = {
                 vars => {},
@@ -20 +22 @@
                 bindir => $bindir,
                 srcdir => $srcdir,
-                exeext => $exeext
+                server_maxtime => $server_maxtime,
+                target3 => new Samba3($bindir, $srcdir, $server_maxtime)
         };
         bless $self;
@@ -26 +29 @@
 }
 
-sub bindir_path($$) {
-        my ($self, $path) = @_;
-
-        my $valpath = "$self->{bindir}/$path$self->{exeext}";
-
-        return $valpath if (-f $valpath);
-        return $path;
-}
-
 sub scriptdir_path($$) {
         my ($self, $path) = @_;
@@ -46 +40 @@
 {
         my $count = 0;
-        my ($self, $env_vars) = @_;
-        my $ldbsearch = $self->bindir_path("ldbsearch");
+        my ($self, $env_vars, $STDIN_READER) = @_;
+        my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
 
         my $uri = $env_vars->{LDAP_URI};
@@ -57 +51 @@
         # running slapd in the background means it stays in the same process group, so it can be
         # killed by timelimit
-        if ($self->{ldap} eq "fedora-ds") {
-                system("$ENV{FEDORA_DS_ROOT}/sbin/ns-slapd -D $env_vars->{FEDORA_DS_DIR} -d0 -i $env_vars->{FEDORA_DS_PIDFILE}> $env_vars->{LDAPDIR}/logs 2>&1 &");
-        } elsif ($self->{ldap} eq "openldap") {
-                system("$ENV{OPENLDAP_SLAPD} -d0 -F $env_vars->{SLAPD_CONF_D} -h $uri > $env_vars->{LDAPDIR}/logs 2>&1 &");
-        }
+        my $pid = fork();
+        if ($pid == 0) {
+                open STDOUT, ">$env_vars->{LDAPDIR}/logs";
+                open STDERR, '>&STDOUT';
+                close($env_vars->{STDIN_PIPE});
+                open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+
+                if ($self->{ldap} eq "fedora-ds") {
+                        exec("$ENV{FEDORA_DS_ROOT}/sbin/ns-slapd", "-D", $env_vars->{FEDORA_DS_DIR}, "-d0", "-i", $env_vars->{FEDORA_DS_PIDFILE});
+                } elsif ($self->{ldap} eq "openldap") {
+                        exec($ENV{OPENLDAP_SLAPD}, "-dnone", "-F", $env_vars->{SLAPD_CONF_D}, "-h", $uri);
+                }
+                die("Unable to start slapd: $!");
+        }
+        $env_vars->{SLAPD_PID} = $pid;
+        sleep(1);
         while (system("$ldbsearch -H $uri -s base -b \"\" supportedLDAPVersion > /dev/null") != 0) {
                 $count++;
@@ -76 +81 @@
 {
         my ($self, $envvars) = @_;
-        if ($self->{ldap} eq "fedora-ds") {
-                system("$envvars->{LDAPDIR}/slapd-$envvars->{LDAP_INSTANCE}/stop-slapd");
-        } elsif ($self->{ldap} eq "openldap") {
-                unless (open(IN, "<$envvars->{OPENLDAP_PIDFILE}")) {
-                        warn("unable to open slapd pid file: $envvars->{OPENLDAP_PIDFILE}");
-                        return 0;
-                }
-                kill 9, <IN>;
-                close(IN);
-        }
+        kill 9, $envvars->{SLAPD_PID};
         return 1;
 }
@@ -91 +87 @@
 sub check_or_start($$$)
 {
-        my ($self, $env_vars, $max_time) = @_;
-        return 0 if ( -p $env_vars->{SAMBA_TEST_FIFO});
-
-        unlink($env_vars->{SAMBA_TEST_FIFO});
-        POSIX::mkfifo($env_vars->{SAMBA_TEST_FIFO}, 0700);
-        unlink($env_vars->{SAMBA_TEST_LOG});
-        
-        my $pwd = `pwd`;
-        print "STARTING SAMBA for $ENV{ENVNAME}\n";
+        my ($self, $env_vars, $process_model) = @_;
+        my $STDIN_READER;
+
+        my $env_ok = $self->check_env($env_vars);
+        if ($env_ok) {
+            return $env_vars->{SAMBA_PID};
+        }
+
+        # use a pipe for stdin in the child processes. This allows
+        # those processes to monitor the pipe for EOF to ensure they
+        # exit when the test script exits
+        pipe($STDIN_READER, $env_vars->{STDIN_PIPE});
+
+        # Start slapd before samba, but with the fifo on stdin
+        if (defined($self->{ldap})) {
+                unless($self->slapd_start($env_vars, $STDIN_READER)) {
+                        warn("couldn't start slapd (main run)");
+                        return undef;
+                }
+        }
+
+        print "STARTING SAMBA...";
         my $pid = fork();
         if ($pid == 0) {
-                open STDIN, $env_vars->{SAMBA_TEST_FIFO};
                 # we want out from samba to go to the log file, but also
                 # to the users terminal when running 'make test' on the command
@@ -111 +119 @@
                 SocketWrapper::set_default_iface($env_vars->{SOCKET_WRAPPER_DEFAULT_IFACE});
 
-                my $valgrind = "";
-                if (defined($ENV{SAMBA_VALGRIND})) {
-                    $valgrind = $ENV{SAMBA_VALGRIND};
-                }
-
                 $ENV{KRB5_CONFIG} = $env_vars->{KRB5_CONFIG};
-                $ENV{WINBINDD_SOCKET_DIR} = $env_vars->{WINBINDD_SOCKET_DIR};
+                $ENV{SELFTEST_WINBINDD_SOCKET_DIR} = $env_vars->{SELFTEST_WINBINDD_SOCKET_DIR};
+                $ENV{NMBD_SOCKET_DIR} = $env_vars->{NMBD_SOCKET_DIR};
 
                 $ENV{NSS_WRAPPER_PASSWD} = $env_vars->{NSS_WRAPPER_PASSWD};
                 $ENV{NSS_WRAPPER_GROUP} = $env_vars->{NSS_WRAPPER_GROUP};
+                $ENV{NSS_WRAPPER_HOSTS} = $env_vars->{NSS_WRAPPER_HOSTS};
+                $ENV{NSS_WRAPPER_MODULE_SO_PATH} = $env_vars->{NSS_WRAPPER_MODULE_SO_PATH};
+                $ENV{NSS_WRAPPER_MODULE_FN_PREFIX} = $env_vars->{NSS_WRAPPER_MODULE_FN_PREFIX};
+
+                if (defined($env_vars->{RESOLV_WRAPPER_CONF})) {
+                        $ENV{RESOLV_WRAPPER_CONF} = $env_vars->{RESOLV_WRAPPER_CONF};
+                } else {
+                        $ENV{RESOLV_WRAPPER_HOSTS} = $env_vars->{RESOLV_WRAPPER_HOSTS};
+                }
 
                 $ENV{UID_WRAPPER} = "1";
-
-                # Start slapd before samba, but with the fifo on stdin
-                if (defined($self->{ldap})) {
-                        unless($self->slapd_start($env_vars)) {
-                                warn("couldn't start slapd (main run)");
-                                return undef;
-                        }
-                }
-
-                my $optarg = "";
-                if (defined($max_time)) {
-                        $optarg = "--maximum-runtime=$max_time ";
-                }
+                $ENV{UID_WRAPPER_ROOT} = "1";
+
+                $ENV{MAKE_TEST_BINARY} = Samba::bindir_path($self, "samba");
+                my @preargs = ();
+                my @optargs = ();
                 if (defined($ENV{SAMBA_OPTIONS})) {
-                        $optarg.= " $ENV{SAMBA_OPTIONS}";
-                }
-                my $samba = $self->bindir_path("samba");
-
-                # allow selection of the process model using
-                # the environment varibale SAMBA_PROCESS_MODEL
-                # that allows us to change the process model for
-                # individual machines in the build farm
-                my $model = "single";
-                if (defined($ENV{SAMBA_PROCESS_MODEL})) {
-                        $model = $ENV{SAMBA_PROCESS_MODEL};
-                }
-                chomp($pwd);
-                my $cmdline = "$valgrind ${pwd}/$samba $optarg $env_vars->{CONFIGURATION} -M $model -i";
-                my $ret = system("$cmdline");
-                if ($ret == -1) {
-                        print "Unable to start $cmdline: $ret: $!\n";
-                        exit 1;
-                }
-                my $exit = ($ret >> 8);
-                unlink($env_vars->{SAMBA_TEST_FIFO});
-                if ($ret == 0) {
-                        print "$samba exited with no error\n";
-                        exit 0;
-                } elsif ( $ret & 127 ) {
-                        print "$samba got signal ".($ret & 127)." and exits with $exit!\n";
-                } else {
-                        print "$samba failed with status $exit!\n";
-                }
-                if ($exit == 0) {
-                        $exit = -1;
-                }
-                exit $exit;
-        }
-        print "DONE\n";
-
-        open(DATA, ">$env_vars->{SAMBA_TEST_FIFO}");
+                        @optargs = split(/ /, $ENV{SAMBA_OPTIONS});
+                }
+                if(defined($ENV{SAMBA_VALGRIND})) {
+                        @preargs = split(/ /,$ENV{SAMBA_VALGRIND});
+                }
+
+                close($env_vars->{STDIN_PIPE});
+                open STDIN, ">&", $STDIN_READER or die "can't dup STDIN_READER to STDIN: $!";
+
+                exec(@preargs, Samba::bindir_path($self, "samba"), "-M", $process_model, "-i", "--maximum-runtime=$self->{server_maxtime}", $env_vars->{CONFIGURATION}, @optargs) or die("Unable to start samba: $!");
+        }
+        $env_vars->{SAMBA_PID} = $pid;
+        print "DONE ($pid)\n";
+
+        close($STDIN_READER);
+
+        if ($self->wait_for_start($env_vars) != 0) {
+            warn("Samba $pid failed to start up");
+            return undef;
+        }
 
         return $pid;
@@ -181 +169 @@
 {
         my ($self, $testenv_vars) = @_;
+        my $ret = 0;
+
+        if (not $self->check_env($testenv_vars)) {
+            warn("unable to confirm Samba $testenv_vars->{SAMBA_PID} is running");
+            return -1;
+        }
+
         # give time for nbt server to register its names
         print "delaying for nbt name registration\n";
@@ -187 +182 @@
         # This will return quickly when things are up, but be slow if we
         # need to wait for (eg) SSL init
-        my $nmblookup = $self->bindir_path("nmblookup");
+        my $nmblookup =  Samba::bindir_path($self, "nmblookup4");
         system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}");
         system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}");
         system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
         system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
-        system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSALIAS}");
-        system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSALIAS}");
+        system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
+        system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
         system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}");
         system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}");
         system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
         system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
-        system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSALIAS}");
-        system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSALIAS}");
-
+        system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
+        system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{NETBIOSNAME}");
+
+        # Ensure we have the first RID Set before we start tests.  This makes the tests more reliable.
+        if ($testenv_vars->{SERVER_ROLE} eq "domain controller" and not ($testenv_vars->{NETBIOSNAME} eq "RODC")) {
+            # Add hosts file for name lookups
+            $ENV{NSS_WRAPPER_HOSTS} = $testenv_vars->{NSS_WRAPPER_HOSTS};
+                if (defined($testenv_vars->{RESOLV_WRAPPER_CONF})) {
+                        $ENV{RESOLV_WRAPPER_CONF} = $testenv_vars->{RESOLV_WRAPPER_CONF};
+                } else {
+                        $ENV{RESOLV_WRAPPER_HOSTS} = $testenv_vars->{RESOLV_WRAPPER_HOSTS};
+                }
+
+            print "waiting for working LDAP and a RID Set to be allocated\n";
+            my $ldbsearch = Samba::bindir_path($self, "ldbsearch");
+            my $count = 0;
+            my $base_dn = "DC=".join(",DC=", split(/\./, $testenv_vars->{REALM}));
+            my $rid_set_dn = "cn=RID Set,cn=$testenv_vars->{NETBIOSNAME},ou=domain controllers,$base_dn";
+            sleep(1);
+            while (system("$ldbsearch -H ldap://$testenv_vars->{SERVER} -U$testenv_vars->{USERNAME}%$testenv_vars->{PASSWORD} -s base -b \"$rid_set_dn\" rIDAllocationPool > /dev/null") != 0) {
+                $count++;
+                if ($count > 40) {
+                    $ret = -1;
+                    last;
+                }
+                sleep(1);
+            }
+        }
         print $self->getlog_env($testenv_vars);
+
+        return $ret
 }
 
@@ -208 +230 @@
         my ($self, $file, $ldif) = @_;
 
-        my $ldbadd = $self->bindir_path("ldbadd");
+        my $ldbadd =  Samba::bindir_path($self, "ldbadd");
         open(LDIF, "|$ldbadd -H $file >/dev/null");
         print LDIF $ldif;
@@ -251 +273 @@
 }
 
-sub mk_keyblobs($$)
-{
-        my ($self, $tlsdir) = @_;
-
-        #TLS and PKINIT crypto blobs
-        my $dhfile = "$tlsdir/dhparms.pem";
-        my $cafile = "$tlsdir/ca.pem";
-        my $certfile = "$tlsdir/cert.pem";
-        my $reqkdc = "$tlsdir/req-kdc.der";
-        my $kdccertfile = "$tlsdir/kdc.pem";
-        my $keyfile = "$tlsdir/key.pem";
-        my $adminkeyfile = "$tlsdir/adminkey.pem";
-        my $reqadmin = "$tlsdir/req-admin.der";
-        my $admincertfile = "$tlsdir/admincert.pem";
-        my $admincertupnfile = "$tlsdir/admincertupn.pem";
-
-        mkdir($tlsdir, 0777);
-
-        #This is specified here to avoid draining entropy on every run
-        open(DHFILE, ">$dhfile");
-        print DHFILE <<EOF;
------BEGIN DH PARAMETERS-----
-MGYCYQC/eWD2xkb7uELmqLi+ygPMKyVcpHUo2yCluwnbPutEueuxrG/Cys8j8wLO
-svCN/jYNyR2NszOmg7ZWcOC/4z/4pWDVPUZr8qrkhj5MRKJc52MncfaDglvEdJrv
-YX70obsCAQI=
------END DH PARAMETERS-----
-EOF
-        close(DHFILE);
-
-        #Likewise, we pregenerate the key material.  This allows the
-        #other certificates to be pre-generated
-        open(KEYFILE, ">$keyfile");
-        print KEYFILE <<EOF;
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpc
-ol3+S9/6I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H
-6H+pPqVIRLOmrWImai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQAB
-AoGAAqDLzFRR/BF1kpsiUfL4WFvTarCe9duhwj7ORc6fs785qAXuwUYAJ0Uvzmy6
-HqoGv3t3RfmeHDmjcpPHsbOKnsOQn2MgmthidQlPBMWtQMff5zdoYNUFiPS0XQBq
-szNW4PRjaA9KkLQVTwnzdXGkBSkn/nGxkaVu7OR3vJOBoo0CQQDO4upypesnbe6p
-9/xqfZ2uim8IwV1fLlFClV7WlCaER8tsQF4lEi0XSzRdXGUD/dilpY88Nb+xok/X
-8Z8OvgAXAkEA+pcLsx1gN7kxnARxv54jdzQjC31uesJgMKQXjJ0h75aUZwTNHmZQ
-vPxi6u62YiObrN5oivkixwFNncT9MxTxVQJBAMaWUm2SjlLe10UX4Zdm1MEB6OsC
-kVoX37CGKO7YbtBzCfTzJGt5Mwc1DSLA2cYnGJqIfSFShptALlwedot0HikCQAJu
-jNKEKnbf+TdGY8Q0SKvTebOW2Aeg80YFkaTvsXCdyXrmdQcifw4WdO9KucJiDhSz
-Y9hVapz7ykEJtFtWjLECQQDIlfc63I5ZpXfg4/nN4IJXUW6AmPVOYIA5215itgki
-cSlMYli1H9MEXH0pQMGv5Qyd0OYIx2DDg96mZ+aFvqSG
------END RSA PRIVATE KEY-----
-EOF
-        close(KEYFILE);
-
-        open(ADMINKEYFILE, ">$adminkeyfile");
-
-        print ADMINKEYFILE <<EOF;
------BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQD0+OL7TQBj0RejbIH1+g5GeRaWaM9xF43uE5y7jUHEsi5owhZF
-5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMFxB6esnXhl0Jpip1JkUMM
-XLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xdl3JRlwIDAQAB
-AoGAP8mjCP628Ebc2eACQzOWjgEvwYCPK4qPmYOf1zJkArzG2t5XAGJ5WGrENRuB
-cm3XFh1lpmaADl982UdW3gul4gXUy6w4XjKK4vVfhyHj0kZ/LgaXUK9BAGhroJ2L
-osIOUsaC6jdx9EwSRctwdlF3wWJ8NK0g28AkvIk+FlolW4ECQQD7w5ouCDnf58CN
-u4nARx4xv5XJXekBvOomkCQAmuOsdOb6b9wn3mm2E3au9fueITjb3soMR31AF6O4
-eAY126rXAkEA+RgHzybzZEP8jCuznMqoN2fq/Vrs6+W3M8/G9mzGEMgLLpaf2Jiz
-I9tLZ0+OFk9tkRaoCHPfUOCrVWJZ7Y53QQJBAMhoA6rw0WDyUcyApD5yXg6rusf4
-ASpo/tqDkqUIpoL464Qe1tjFqtBM3gSXuhs9xsz+o0bzATirmJ+WqxrkKTECQHt2
-OLCpKqwAspU7N+w32kaUADoRLisCEdrhWklbwpQgwsIVsCaoEOpt0CLloJRYTANE
-yoZeAErTALjyZYZEPcECQQDlUi0N8DFxQ/lOwWyR3Hailft+mPqoPCa8QHlQZnlG
-+cfgNl57YHMTZFwgUVFRdJNpjH/WdZ5QxDcIVli0q+Ko
------END RSA PRIVATE KEY-----
-EOF
-
-        #generated with
-        # hxtool issue-certificate --self-signed --issue-ca \
-        # --ca-private-key="FILE:$KEYFILE" \
-        # --subject="CN=CA,DC=samba,DC=example,DC=com" \
-        # --certificate="FILE:$CAFILE" --lifetime="25 years"
-
-        open(CAFILE, ">$cafile");
-        print CAFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIICcTCCAdqgAwIBAgIUaBPmjnPVqyFqR5foICmLmikJTzgwCwYJKoZIhvcNAQEFMFIxEzAR
-BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
-LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDgwMzAxMTIyMzEyWhgPMjAzMzAyMjQx
-MjIzMTJaMFIxEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
-MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMIGfMA0GCSqGSIb3DQEBAQUA
-A4GNADCBiQKBgQDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpcol3+S9/6
-I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H6H+pPqVIRLOmrWIm
-ai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQABo0IwQDAOBgNVHQ8BAf8EBAMC
-AaYwHQYDVR0OBBYEFMLZufegDKLZs0VOyFXYK1L6M8oyMA8GA1UdEwEB/wQFMAMBAf8wDQYJ
-KoZIhvcNAQEFBQADgYEAAZJbCAAkaqgFJ0xgNovn8Ydd0KswQPjicwiODPgw9ZPoD2HiOUVO
-yYDRg/dhFF9y656OpcHk4N7qZ2sl3RlHkzDu+dseETW+CnKvQIoXNyeARRJSsSlwrwcoD4JR
-HTLk2sGigsWwrJ2N99sG/cqSJLJ1MFwLrs6koweBnYU0f/g=
------END CERTIFICATE-----
-EOF
-
-        #generated with GNUTLS internally in Samba.
-
-        open(CERTFILE, ">$certfile");
-        print CERTFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIICYTCCAcygAwIBAgIE5M7SRDALBgkqhkiG9w0BAQUwZTEdMBsGA1UEChMUU2Ft
-YmEgQWRtaW5pc3RyYXRpb24xNDAyBgNVBAsTK1NhbWJhIC0gdGVtcG9yYXJ5IGF1
-dG9nZW5lcmF0ZWQgY2VydGlmaWNhdGUxDjAMBgNVBAMTBVNhbWJhMB4XDTA2MDgw
-NDA0MzY1MloXDTA4MDcwNDA0MzY1MlowZTEdMBsGA1UEChMUU2FtYmEgQWRtaW5p
-c3RyYXRpb24xNDAyBgNVBAsTK1NhbWJhIC0gdGVtcG9yYXJ5IGF1dG9nZW5lcmF0
-ZWQgY2VydGlmaWNhdGUxDjAMBgNVBAMTBVNhbWJhMIGcMAsGCSqGSIb3DQEBAQOB
-jAAwgYgCgYDKg6pAwCHUMA1DfHDmWhZfd+F0C+9Jxcqvpw9ii9En3E1uflpcol3+
-S9/6I/uaTmJHZre+DF3dTzb/UOZo0Zem8N+IzzkgoGkFafjXuT3BL5UPY2/H6H+p
-PqVIRLOmrWImai359YyoKhFyo37Y6HPeU8QcZ+u2rS9geapIWfeuowIDAQABoyUw
-IzAMBgNVHRMBAf8EAjAAMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAsGCSqGSIb3DQEB
-BQOBgQAmkN6XxvDnoMkGcWLCTwzxGfNNSVcYr7TtL2aJh285Xw9zaxcm/SAZBFyG
-LYOChvh6hPU7joMdDwGfbiLrBnMag+BtGlmPLWwp/Kt1wNmrRhduyTQFhN3PP6fz
-nBr9vVny2FewB2gHmelaPS//tXdxivSXKz3NFqqXLDJjq7P8wA==
------END CERTIFICATE-----
-EOF
-        close(CERTFILE);
-
-        #KDC certificate
-        # hxtool request-create \
-        # --subject="CN=krbtgt,CN=users,DC=samba,DC=example,DC=com" \
-        # --key="FILE:$KEYFILE" $KDCREQ
-
-        # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE \
-        # --type="pkinit-kdc" \
-        # --pk-init-principal="krbtgt/SAMBA.EXAMPLE.COM@SAMBA.EXAMPLE.COM" \
-        # --req="PKCS10:$KDCREQ" --certificate="FILE:$KDCCERTFILE" \
-        # --lifetime="25 years"
-
-        open(KDCCERTFILE, ">$kdccertfile");
-        print KDCCERTFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIIDDDCCAnWgAwIBAgIUI2Tzj+JnMzMcdeabcNo30rovzFAwCwYJKoZIhvcNAQEFMFIxEzAR
-BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
-LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDgwMzAxMTMxOTIzWhgPMjAzMzAyMjQx
-MzE5MjNaMGYxEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
-MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMQ8wDQYDVQQDDAZrcmJ0
-Z3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMqDqkDAIdQwDUN8cOZaFl934XQL70nF
-yq+nD2KL0SfcTW5+WlyiXf5L3/oj+5pOYkdmt74MXd1PNv9Q5mjRl6bw34jPOSCgaQVp+Ne5
-PcEvlQ9jb8fof6k+pUhEs6atYiZqLfn1jKgqEXKjftjoc95TxBxn67atL2B5qkhZ966jAgMB
-AAGjgcgwgcUwDgYDVR0PAQH/BAQDAgWgMBIGA1UdJQQLMAkGBysGAQUCAwUwVAYDVR0RBE0w
-S6BJBgYrBgEFAgKgPzA9oBMbEVNBTUJBLkVYQU1QTEUuQ09NoSYwJKADAgEBoR0wGxsGa3Ji
-dGd0GxFTQU1CQS5FWEFNUExFLkNPTTAfBgNVHSMEGDAWgBTC2bn3oAyi2bNFTshV2CtS+jPK
-MjAdBgNVHQ4EFgQUwtm596AMotmzRU7IVdgrUvozyjIwCQYDVR0TBAIwADANBgkqhkiG9w0B
-AQUFAAOBgQBmrVD5MCmZjfHp1nEnHqTIh8r7lSmVtDx4s9MMjxm9oNrzbKXynvdhwQYFVarc
-ge4yRRDXtSebErOl71zVJI9CVeQQpwcH+tA85oGA7oeFtO/S7ls581RUU6tGgyxV4veD+lJv
-KPH5LevUtgD+q9H4LU4Sq5N3iFwBaeryB0g2wg==
------END CERTIFICATE-----
-EOF
-
-        # hxtool request-create \
-        # --subject="CN=Administrator,CN=users,DC=samba,DC=example,DC=com" \
-        # --key="FILE:$ADMINKEYFILE" $ADMINREQFILE
-
-        # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE \
-        # --type="pkinit-client" \
-        # --pk-init-principal="administrator@SAMBA.EXAMPLE.COM" \
-        # --req="PKCS10:$ADMINREQFILE" --certificate="FILE:$ADMINCERTFILE" \
-        # --lifetime="25 years"
-        
-        open(ADMINCERTFILE, ">$admincertfile");
-        print ADMINCERTFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIIDHTCCAoagAwIBAgIUUggzW4lLRkMKe1DAR2NKatkMDYwwCwYJKoZIhvcNAQELMFIxEzAR
-BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
-LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDkwNzI3MDMzMjE1WhgPMjAzNDA3MjIw
-MzMyMTVaMG0xEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
-MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMRYwFAYDVQQDDA1BZG1p
-bmlzdHJhdG9yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0+OL7TQBj0RejbIH1+g5G
-eRaWaM9xF43uE5y7jUHEsi5owhZF5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMF
-xB6esnXhl0Jpip1JkUMMXLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xd
-l3JRlwIDAQABo4HSMIHPMA4GA1UdDwEB/wQEAwIFoDAoBgNVHSUEITAfBgcrBgEFAgMEBggr
-BgEFBQcDAgYKKwYBBAGCNxQCAjBIBgNVHREEQTA/oD0GBisGAQUCAqAzMDGgExsRU0FNQkEu
-RVhBTVBMRS5DT02hGjAYoAMCAQGhETAPGw1BZG1pbmlzdHJhdG9yMB8GA1UdIwQYMBaAFMLZ
-ufegDKLZs0VOyFXYK1L6M8oyMB0GA1UdDgQWBBQg81bLyfCA88C2B/BDjXlGuaFaxjAJBgNV
-HRMEAjAAMA0GCSqGSIb3DQEBCwUAA4GBAEf/OSHUDJaGdtWGNuJeqcVYVMwrfBAc0OSwVhz1
-7/xqKHWo8wIMPkYRtaRHKLNDsF8GkhQPCpVsa6mX/Nt7YQnNvwd+1SBP5E8GvwWw9ZzLJvma
-nk2n89emuayLpVtp00PymrDLRBcNaRjFReQU8f0o509kiVPHduAp3jOiy13l
------END CERTIFICATE-----
-EOF
-        close(ADMINCERTFILE);
-
-        # hxtool issue-certificate --ca-certificate=FILE:$CAFILE,$KEYFILE \
-        # --type="pkinit-client" \
-        # --ms-upn="administrator@samba.example.com" \
-        # --req="PKCS10:$ADMINREQFILE" --certificate="FILE:$ADMINCERTUPNFILE" \
-        # --lifetime="25 years"
-        
-        open(ADMINCERTUPNFILE, ">$admincertupnfile");
-        print ADMINCERTUPNFILE <<EOF;
------BEGIN CERTIFICATE-----
-MIIDDzCCAnigAwIBAgIUUp3CJMuNaEaAdPKp3QdNIwG7a4wwCwYJKoZIhvcNAQELMFIxEzAR
-BgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxlMRUwEwYKCZImiZPy
-LGQBGQwFc2FtYmExCzAJBgNVBAMMAkNBMCIYDzIwMDkwNzI3MDMzMzA1WhgPMjAzNDA3MjIw
-MzMzMDVaMG0xEzARBgoJkiaJk/IsZAEZDANjb20xFzAVBgoJkiaJk/IsZAEZDAdleGFtcGxl
-MRUwEwYKCZImiZPyLGQBGQwFc2FtYmExDjAMBgNVBAMMBXVzZXJzMRYwFAYDVQQDDA1BZG1p
-bmlzdHJhdG9yMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQD0+OL7TQBj0RejbIH1+g5G
-eRaWaM9xF43uE5y7jUHEsi5owhZF5iIoHZeeL6cpDF5y1BZRs0JlA1VqMry1jjKlzFYVEMMF
-xB6esnXhl0Jpip1JkUMMXLOP1m/0dqayuHBWozj9f/cdyCJr0wJIX1Z8Pr+EjYRGPn/MF0xd
-l3JRlwIDAQABo4HEMIHBMA4GA1UdDwEB/wQEAwIFoDAoBgNVHSUEITAfBgcrBgEFAgMEBggr
-BgEFBQcDAgYKKwYBBAGCNxQCAjA6BgNVHREEMzAxoC8GCisGAQQBgjcUAgOgIQwfYWRtaW5p
-c3RyYXRvckBzYW1iYS5leGFtcGxlLmNvbTAfBgNVHSMEGDAWgBTC2bn3oAyi2bNFTshV2CtS
-+jPKMjAdBgNVHQ4EFgQUIPNWy8nwgPPAtgfwQ415RrmhWsYwCQYDVR0TBAIwADANBgkqhkiG
-9w0BAQsFAAOBgQBk42+egeUB3Ji2PC55fbt3FNKxvmm2xUUFkV9POK/YR9rajKOwk5jtYSeS
-Zd7J9s//rNFNa7waklFkDaY56+QWTFtdvxfE+KoHaqt6X8u6pqi7p3M4wDKQox+9Dx8yWFyq
-Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ==
------END CERTIFICATE-----
-EOF
-}
-
-sub mk_krb5_conf($$)
-{
-        my ($self, $ctx) = @_;
-
-        unless (open(KRB5CONF, ">$ctx->{krb5_conf}")) {
-                warn("can't open $ctx->{krb5_conf}$?");
-                return undef;
-        }
-        print KRB5CONF "
-#Generated krb5.conf for $ctx->{realm}
-
-[libdefaults]
- default_realm = $ctx->{realm}
- dns_lookup_realm = false
- dns_lookup_kdc = false
- ticket_lifetime = 24h
- forwardable = yes
- allow_weak_crypto = yes
-
-[realms]
- $ctx->{realm} = {
-  kdc = $ctx->{kdc_ipv4}:88
-  admin_server = $ctx->{kdc_ipv4}:88
-  default_domain = $ctx->{dnsname}
- }
- $ctx->{dnsname} = {
-  kdc = $ctx->{kdc_ipv4}:88
-  admin_server = $ctx->{kdc_ipv4}:88
-  default_domain = $ctx->{dnsname}
- }
- $ctx->{domain} = {
-  kdc = $ctx->{kdc_ipv4}:88
-  admin_server = $ctx->{kdc_ipv4}:88
-  default_domain = $ctx->{dnsname}
- }
-
-[appdefaults]
-        pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
-
-[kdc]
-        enable-pkinit = true
-        pkinit_identity = FILE:$ctx->{tlsdir}/kdc.pem,$ctx->{tlsdir}/key.pem
-        pkinit_anchors = FILE:$ctx->{tlsdir}/ca.pem
-
-[domain_realm]
- .$ctx->{dnsname} = $ctx->{realm}
-";
-        close(KRB5CONF);
-}
-
-sub provision_raw_prepare($$$$$$$$$$)
-{
-        my ($self, $prefix, $server_role, $netbiosname, $netbiosalias,
+sub setup_namespaces($$:$$)
+{
+        my ($self, $localenv, $upn_array, $spn_array) = @_;
+
+        @{$upn_array} = [] unless defined($upn_array);
+        my $upn_args = "";
+        foreach my $upn (@{$upn_array}) {
+                $upn_args .= " --add-upn-suffix=$upn";
+        }
+
+        @{$spn_array} = [] unless defined($spn_array);
+        my $spn_args = "";
+        foreach my $spn (@{$spn_array}) {
+                $spn_args .= " --add-spn-suffix=$spn";
+        }
+
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+
+        my $cmd_env = "";
+        $cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$localenv->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($localenv->{RESOLV_WRAPPER_CONF})) {
+                $cmd_env .= "RESOLV_WRAPPER_CONF=\"$localenv->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
+        $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\"";
+
+        my $cmd_config = " $localenv->{CONFIGURATION}";
+
+        my $namespaces = $cmd_env;
+        $namespaces .= " $samba_tool domain trust namespaces $upn_args $spn_args";
+        $namespaces .= $cmd_config;
+        unless (system($namespaces) == 0) {
+                warn("Failed to add namespaces \n$namespaces");
+                return;
+        }
+
+        return;
+}
+
+sub setup_trust($$$$$)
+{
+        my ($self, $localenv, $remoteenv, $type, $extra_args) = @_;
+
+        $localenv->{TRUST_SERVER} = $remoteenv->{SERVER};
+        $localenv->{TRUST_SERVER_IP} = $remoteenv->{SERVER_IP};
+        $localenv->{TRUST_SERVER_IPV6} = $remoteenv->{SERVER_IPV6};
+        $localenv->{TRUST_NETBIOSNAME} = $remoteenv->{NETBIOSNAME};
+        $localenv->{TRUST_USERNAME} = $remoteenv->{USERNAME};
+        $localenv->{TRUST_PASSWORD} = $remoteenv->{PASSWORD};
+        $localenv->{TRUST_DOMAIN} = $remoteenv->{DOMAIN};
+        $localenv->{TRUST_REALM} = $remoteenv->{REALM};
+
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+        # setup the trust
+        my $cmd_env = "";
+        $cmd_env .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$localenv->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($localenv->{RESOLV_WRAPPER_CONF})) {
+                $cmd_env .= "RESOLV_WRAPPER_CONF=\"$localenv->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd_env .= "RESOLV_WRAPPER_HOSTS=\"$localenv->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
+        $cmd_env .= " KRB5_CONFIG=\"$localenv->{KRB5_CONFIG}\"";
+
+        my $cmd_config = " $localenv->{CONFIGURATION}";
+        my $cmd_creds = $cmd_config;
+        $cmd_creds .= " -U$localenv->{TRUST_DOMAIN}\\\\$localenv->{TRUST_USERNAME}\%$localenv->{TRUST_PASSWORD}";
+
+        my $create = $cmd_env;
+        $create .= " $samba_tool domain trust create --type=${type} $localenv->{TRUST_REALM}";
+        $create .= " $extra_args";
+        $create .= $cmd_creds;
+        unless (system($create) == 0) {
+                warn("Failed to create trust \n$create");
+                return undef;
+        }
+
+        return $localenv
+}
+
+sub provision_raw_prepare($$$$$$$$$$$)
+{
+        my ($self, $prefix, $server_role, $hostname,
             $domain, $realm, $functional_level,
-            $swiface, $password, $kdc_ipv4) = @_;
+            $password, $kdc_ipv4, $kdc_ipv6) = @_;
         my $ctx;
+        my $netbiosname = uc($hostname);
 
         unless(-d $prefix or mkdir($prefix, 0777)) {
@@ -530 +374 @@
         }
 
+        
+        my $swiface = Samba::get_interface($hostname);
+
         $ctx->{prefix} = $prefix;
         $ctx->{prefix_abs} = $prefix_abs;
-        
-        $ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
 
         $ctx->{server_role} = $server_role;
+        $ctx->{hostname} = $hostname;
         $ctx->{netbiosname} = $netbiosname;
-        $ctx->{netbiosalias} = $netbiosalias;
         $ctx->{swiface} = $swiface;
         $ctx->{password} = $password;
         $ctx->{kdc_ipv4} = $kdc_ipv4;
-
+        $ctx->{kdc_ipv6} = $kdc_ipv6;
+        if ($functional_level eq "2000") {
+                $ctx->{supported_enctypes} = "arcfour-hmac-md5 des-cbc-md5 des-cbc-crc"
+        }
+
+#
+# Set smbd log level here.
+#
         $ctx->{server_loglevel} =$ENV{SERVER_LOG_LEVEL} || 1;
         $ctx->{username} = "Administrator";
@@ -547 +399 @@
         $ctx->{realm} = uc($realm);
         $ctx->{dnsname} = lc($realm);
-        $ctx->{sid_generator} = "internal";
 
         $ctx->{functional_level} = $functional_level;
@@ -555 +406 @@
         $ctx->{unix_name} = $unix_name;
         $ctx->{unix_uid} = $>;
+        my @mygid = split(" ", $();
+        $ctx->{unix_gid} = $mygid[0];
         $ctx->{unix_gids_str} = $);
         @{$ctx->{unix_gids}} = split(" ", $ctx->{unix_gids_str});
@@ -565 +418 @@
         $ctx->{ncalrpcdir} = "$prefix_abs/ncalrpc";
         $ctx->{lockdir} = "$prefix_abs/lockdir";
+        $ctx->{logdir} = "$prefix_abs/logs";
+        $ctx->{statedir} = "$prefix_abs/statedir";
+        $ctx->{cachedir} = "$prefix_abs/cachedir";
         $ctx->{winbindd_socket_dir} = "$prefix_abs/winbindd_socket";
         $ctx->{winbindd_privileged_socket_dir} = "$prefix_abs/winbindd_privileged_socket";
@@ -570 +426 @@
         $ctx->{nsswrap_passwd} = "$ctx->{etcdir}/passwd";
         $ctx->{nsswrap_group} = "$ctx->{etcdir}/group";
+        $ctx->{nsswrap_hosts} = "$ENV{SELFTEST_PREFIX}/hosts";
+        if ($ENV{SAMBA_DNS_FAKING}) {
+                $ctx->{dns_host_file} = "$ENV{SELFTEST_PREFIX}/dns_host_file";
+                $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf} --all-interfaces --use-file=$ctx->{dns_host_file}";
+        } else {
+                $ctx->{resolv_conf} = "$ctx->{etcdir}/resolv.conf";
+                $ctx->{samba_dnsupdate} = "$ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate -s $ctx->{smb_conf}";
+        }
 
         $ctx->{tlsdir} = "$ctx->{privatedir}/tls";
 
         $ctx->{ipv4} = "127.0.0.$swiface";
-        $ctx->{interfaces} = "$ctx->{ipv4}/8";
+        $ctx->{ipv6} = sprintf("fd00:0000:0000:0000:0000:0000:5357:5f%02x", $swiface);
+        $ctx->{interfaces} = "$ctx->{ipv4}/8 $ctx->{ipv6}/64";
 
         push(@{$ctx->{directories}}, $ctx->{privatedir});
         push(@{$ctx->{directories}}, $ctx->{etcdir});
         push(@{$ctx->{directories}}, $ctx->{piddir});
-        push(@{$ctx->{directories}}, $ctx->{ncalrpcdir});
         push(@{$ctx->{directories}}, $ctx->{lockdir});
+        push(@{$ctx->{directories}}, $ctx->{logdir});
+        push(@{$ctx->{directories}}, $ctx->{statedir});
+        push(@{$ctx->{directories}}, $ctx->{cachedir});
 
         $ctx->{smb_conf_extra_options} = "";
 
         my @provision_options = ();
+        push (@provision_options, "KRB5_CONFIG=\"$ctx->{krb5_config}\"");
         push (@provision_options, "NSS_WRAPPER_PASSWD=\"$ctx->{nsswrap_passwd}\"");
         push (@provision_options, "NSS_WRAPPER_GROUP=\"$ctx->{nsswrap_group}\"");
+        push (@provision_options, "NSS_WRAPPER_HOSTS=\"$ctx->{nsswrap_hosts}\"");
+        if (defined($ctx->{resolv_conf})) {
+                push (@provision_options, "RESOLV_WRAPPER_CONF=\"$ctx->{resolv_conf}\"");
+        } else {
+                push (@provision_options, "RESOLV_WRAPPER_HOSTS=\"$ctx->{dns_host_file}\"");
+        }
         if (defined($ENV{GDB_PROVISION})) {
                 push (@provision_options, "gdb --args");
@@ -604 +478 @@
                 push (@provision_options, $ENV{PYTHON});
         }
-        push (@provision_options, "$self->{srcdir}/source4/setup/provision");
+        push (@provision_options, Samba::bindir_path($self, "samba-tool"));
+        push (@provision_options, "domain");
+        push (@provision_options, "provision");
         push (@provision_options, "--configfile=$ctx->{smb_conf}");
-        push (@provision_options, "--host-name=$ctx->{netbiosname}");
+        push (@provision_options, "--host-name=$ctx->{hostname}");
         push (@provision_options, "--host-ip=$ctx->{ipv4}");
         push (@provision_options, "--quiet");
@@ -632 +508 @@
         mkdir($_, 0777) foreach (@{$ctx->{directories}});
 
+        ##
+        ## lockdir and piddir must be 0755
+        ##
+        chmod 0755, $ctx->{lockdir};
+        chmod 0755, $ctx->{piddir};
+
         unless (open(CONFFILE, ">$ctx->{smb_conf}")) {
                 warn("can't open $ctx->{smb_conf}$?");
                 return undef;
         }
+
+        Samba::prepare_keyblobs($ctx);
+        my $crlfile = "$ctx->{tlsdir}/crl.pem";
+        $crlfile = "" unless -e ${crlfile};
+
         print CONFFILE "
 [global]
         netbios name = $ctx->{netbiosname}
-        netbios aliases = $ctx->{netbiosalias}
-        posix:eadb = $ctx->{lockdir}/eadb.tdb
+        posix:eadb = $ctx->{statedir}/eadb.tdb
         workgroup = $ctx->{domain}
         realm = $ctx->{realm}
@@ -647 +533 @@
         ncalrpc dir = $ctx->{ncalrpcdir}
         lock dir = $ctx->{lockdir}
+        state directory = $ctx->{statedir}
+        cache directory = $ctx->{cachedir}
         winbindd socket directory = $ctx->{winbindd_socket_dir}
         winbindd privileged socket directory = $ctx->{winbindd_privileged_socket_dir}
         ntp signd socket directory = $ctx->{ntp_signd_socket_dir}
         winbind separator = /
-        name resolve order = file bcast
         interfaces = $ctx->{interfaces}
         tls dh params file = $ctx->{tlsdir}/dhparms.pem
-        panic action = $RealBin/gdb_backtrace \%PID% \%PROG%
+        tls crlfile = ${crlfile}
+        tls verify peer = no_check
+        panic action = $RealBin/gdb_backtrace \%d
         wins support = yes
         server role = $ctx->{server_role}
-        server services = +echo
+        server services = +echo +smb -s3fs
+        dcerpc endpoint servers = +winreg +srvsvc
         notify:inotify = false
         ldb:nosync = true
+        ldap server require strong auth = yes
 #We don't want to pass our self-tests if the PAC code is wrong
         gensec:require_pac = true
+        log file = $ctx->{logdir}/log.\%m
         log level = $ctx->{server_loglevel}
         lanman auth = Yes
         rndc command = true
-        dns update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate --all-interfaces --use-file=$ctx->{dns_host_file}
-        spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate
-        resolv:host file = $ctx->{dns_host_file}
+        dns update command = $ctx->{samba_dnsupdate}
+        spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
         dreplsrv:periodic_startup_interval = 0
+        dsdb:schema update allowed = yes
+
+        vfs objects = dfs_samba4 acl_xattr fake_acls xattr_tdb streams_depot
+
+        # remove this again, when our smb2 client library
+        # supports signin on compound related requests
+        server signing = on
+
+        idmap_ldb:use rfc2307=yes
+        winbind enum users = yes
+        winbind enum groups = yes
 ";
-
-        if (defined($ctx->{sid_generator}) && $ctx->{sid_generator} ne "internal") {
-                print CONFFILE "
-        sid generator = $ctx->{sid_generator}";
-        }
 
         print CONFFILE "
@@ -684 +581 @@
         close(CONFFILE);
 
-        $self->mk_keyblobs($ctx->{tlsdir});
-
-        $self->mk_krb5_conf($ctx);
+        #Default the KDC IP to the server's IP
+        if (not defined($ctx->{kdc_ipv4})) {
+                $ctx->{kdc_ipv4} = $ctx->{ipv4};
+        }
+        if (not defined($ctx->{kdc_ipv6})) {
+                $ctx->{kdc_ipv6} = $ctx->{ipv6};
+        }
+
+        Samba::mk_krb5_conf($ctx);
 
         open(PWD, ">$ctx->{nsswrap_passwd}");
-        print PWD "
-root:x:0:0:root gecos:$ctx->{prefix_abs}:/bin/false
-$ctx->{unix_name}:x:$ctx->{unix_uid}:@{$ctx->{unix_gids}}[0]:$ctx->{unix_name} gecos:$ctx->{prefix_abs}:/bin/false
-nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false
+        if ($ctx->{unix_uid} != 0) {
+                print PWD "root:x:0:0:root gecos:$ctx->{prefix_abs}:/bin/false\n";
+        }
+        print PWD "$ctx->{unix_name}:x:$ctx->{unix_uid}:65531:$ctx->{unix_name} gecos:$ctx->{prefix_abs}:/bin/false\n";
+        print PWD "nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest:x:65533:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest2:x:65532:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest3:x:65531:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest4:x:65530:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
 ";
         close(PWD);
+        my $uid_rfc2307test = 65533;
 
         open(GRP, ">$ctx->{nsswrap_group}");
-        print GRP "
-root:x:0:
-wheel:x:10:
-users:x:100:
+        if ($ctx->{unix_gid} != 0) {
+                print GRP "root:x:0:\n";
+        }
+        print GRP "$ctx->{unix_name}:x:$ctx->{unix_gid}:\n";
+        print GRP "wheel:x:10:
+users:x:65531:
 nobody:x:65533:
 nogroup:x:65534:nobody
 ";
         close(GRP);
+        my $gid_rfc2307test = 65532;
+
+        my $hostname = lc($ctx->{hostname});
+        open(HOSTS, ">>$ctx->{nsswrap_hosts}");
+        if ($hostname eq "localdc") {
+                print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
+                print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} $ctx->{dnsname} ${hostname}\n";
+        } else {
+                print HOSTS "$ctx->{ipv4} ${hostname}.$ctx->{dnsname} ${hostname}\n";
+                print HOSTS "$ctx->{ipv6} ${hostname}.$ctx->{dnsname} ${hostname}\n";
+        }
+        close(HOSTS);
+
+        if (defined($ctx->{resolv_conf})) {
+                open(RESOLV_CONF, ">$ctx->{resolv_conf}");
+                print RESOLV_CONF "nameserver $ctx->{kdc_ipv4}\n";
+                print RESOLV_CONF "nameserver $ctx->{kdc_ipv6}\n";
+                close(RESOLV_CONF);
+        }
 
         my $configuration = "--configfile=$ctx->{smb_conf}";
 
 #Ensure the config file is valid before we start
-        my $testparm = $self->scriptdir_path("bin/testparm");
+        my $testparm = Samba::bindir_path($self, "samba-tool") . " testparm";
         if (system("$testparm $configuration -v --suppress-prompt >/dev/null 2>&1") != 0) {
                 system("$testparm -v --suppress-prompt $configuration >&2");
@@ -723 +653 @@
                 KRB5_CONFIG => $ctx->{krb5_conf},
                 PIDDIR => $ctx->{piddir},
-                SERVER => $ctx->{netbiosname},
+                SERVER => $ctx->{hostname},
                 SERVER_IP => $ctx->{ipv4},
+                SERVER_IPV6 => $ctx->{ipv6},
                 NETBIOSNAME => $ctx->{netbiosname},
-                NETBIOSALIAS => $ctx->{netbiosalias},
                 DOMAIN => $ctx->{domain},
                 USERNAME => $ctx->{username},
@@ -733 +663 @@
                 LDAPDIR => $ctx->{ldapdir},
                 LDAP_INSTANCE => $ctx->{ldap_instance},
-                WINBINDD_SOCKET_DIR => $ctx->{winbindd_socket_dir},
+                SELFTEST_WINBINDD_SOCKET_DIR => $ctx->{winbindd_socket_dir},
                 NCALRPCDIR => $ctx->{ncalrpcdir},
                 LOCKDIR => $ctx->{lockdir},
+                STATEDIR => $ctx->{statedir},
+                CACHEDIR => $ctx->{cachedir},
+                PRIVATEDIR => $ctx->{privatedir},
                 SERVERCONFFILE => $ctx->{smb_conf},
                 CONFIGURATION => $configuration,
@@ -741 +674 @@
                 NSS_WRAPPER_PASSWD => $ctx->{nsswrap_passwd},
                 NSS_WRAPPER_GROUP => $ctx->{nsswrap_group},
+                NSS_WRAPPER_HOSTS => $ctx->{nsswrap_hosts},
                 SAMBA_TEST_FIFO => "$ctx->{prefix}/samba_test.fifo",
                 SAMBA_TEST_LOG => "$ctx->{prefix}/samba_test.log",
                 SAMBA_TEST_LOG_POS => 0,
+                NSS_WRAPPER_MODULE_SO_PATH => Samba::nss_wrapper_winbind_so_path($self),
+                NSS_WRAPPER_MODULE_FN_PREFIX => "winbind",
+                LOCAL_PATH => $ctx->{share},
+                UID_RFC2307TEST => $uid_rfc2307test,
+                GID_RFC2307TEST => $gid_rfc2307test,
+                SERVER_ROLE => $ctx->{server_role}
         };
+
+        if (defined($ctx->{resolv_conf})) {
+                $ret->{RESOLV_WRAPPER_CONF} = $ctx->{resolv_conf};
+        } else {
+                $ret->{RESOLV_WRAPPER_HOSTS} = $ctx->{dns_host_file};
+        }
 
         return $ret;
@@ -762 +708 @@
         }
 
+        my $testallowed_account = "testallowed";
+        my $samba_tool_cmd = "";
+        $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+            . " user add --configfile=$ctx->{smb_conf} $testallowed_account $ctx->{password}";
+        unless (system($samba_tool_cmd) == 0) {
+                warn("Unable to add testallowed user: \n$samba_tool_cmd\n");
+                return undef;
+        }
+
+        my $ldbmodify = "";
+        $ldbmodify .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $ldbmodify .= Samba::bindir_path($self, "ldbmodify");
+        my $base_dn = "DC=".join(",DC=", split(/\./, $ctx->{realm}));
+
+        if ($ctx->{server_role} ne "domain controller") {
+                $base_dn = "DC=$ctx->{netbiosname}";
+        }
+
+        my $user_dn = "cn=$testallowed_account,cn=users,$base_dn";
+        $testallowed_account = "testallowed account";
+        open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+        print LDIF "dn: $user_dn
+changetype: modify
+replace: samAccountName
+samAccountName: $testallowed_account
+-
+";
+        close(LDIF);
+
+        open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+        print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testallowed upn\@$ctx->{realm}
+replace: servicePrincipalName
+servicePrincipalName: host/testallowed
+-           
+";
+        close(LDIF);
+
+        $samba_tool_cmd = "";
+        $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+            . " user add --configfile=$ctx->{smb_conf} testdenied $ctx->{password}";
+        unless (system($samba_tool_cmd) == 0) {
+                warn("Unable to add testdenied user: \n$samba_tool_cmd\n");
+                return undef;
+        }
+
+        my $user_dn = "cn=testdenied,cn=users,$base_dn";
+        open(LDIF, "|$ldbmodify -H $ctx->{privatedir}/sam.ldb");
+        print LDIF "dn: $user_dn
+changetype: modify
+replace: userPrincipalName
+userPrincipalName: testdenied_upn\@$ctx->{realm}.upn
+-           
+";
+        close(LDIF);
+
+        $samba_tool_cmd = "";
+        $samba_tool_cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $samba_tool_cmd .= Samba::bindir_path($self, "samba-tool")
+            . " group addmembers --configfile=$ctx->{smb_conf} 'Allowed RODC Password Replication Group' '$testallowed_account'";
+        unless (system($samba_tool_cmd) == 0) {
+                warn("Unable to add '$testallowed_account' user to 'Allowed RODC Password Replication Group': \n$samba_tool_cmd\n");
+                return undef;
+        }
+
         return $ret;
 }
 
-sub provision($$$$$$$$$)
-{
-        my ($self, $prefix, $server_role, $netbiosname, $netbiosalias,
+sub provision($$$$$$$$$$)
+{
+        my ($self, $prefix, $server_role, $hostname,
             $domain, $realm, $functional_level,
-            $swiface, $password, $kdc_ipv4, $extra_smbconf_options) = @_;
+            $password, $kdc_ipv4, $kdc_ipv6, $extra_smbconf_options, $extra_smbconf_shares,
+            $extra_provision_options) = @_;
 
         my $ctx = $self->provision_raw_prepare($prefix, $server_role,
-                                               $netbiosname, $netbiosalias,
+                                               $hostname,
                                                $domain, $realm, $functional_level,
-                                               $swiface, $password, $kdc_ipv4);
-
-        $ctx->{tmpdir} = "$ctx->{prefix_abs}/tmp";
-        push(@{$ctx->{directories}}, "$ctx->{tmpdir}");
-        push(@{$ctx->{directories}}, "$ctx->{tmpdir}/test1");
-        push(@{$ctx->{directories}}, "$ctx->{tmpdir}/test2");
+                                               $password, $kdc_ipv4, $kdc_ipv6);
+
+        if (defined($extra_provision_options)) {
+                push (@{$ctx->{provision_options}}, @{$extra_provision_options});
+        } else {
+                push (@{$ctx->{provision_options}}, "--use-ntvfs");
+        }
+
+        $ctx->{share} = "$ctx->{prefix_abs}/share";
+        push(@{$ctx->{directories}}, "$ctx->{share}");
+        push(@{$ctx->{directories}}, "$ctx->{share}/test1");
+        push(@{$ctx->{directories}}, "$ctx->{share}/test2");
+
+        # precreate directories for printer drivers
+        push(@{$ctx->{directories}}, "$ctx->{share}/W32X86");
+        push(@{$ctx->{directories}}, "$ctx->{share}/x64");
+        push(@{$ctx->{directories}}, "$ctx->{share}/WIN40");
+
         my $msdfs = "no";
         $msdfs = "yes" if ($server_role eq "domain controller");
@@ -786 +814 @@
         max xmit = 32K
         server max protocol = SMB2
-        $extra_smbconf_options
         host msdfs = $msdfs
         lanman auth = yes
+        allow nt4 crypto = yes
+
+        # fruit:copyfile is a global option
+        fruit:copyfile = yes
+
+        $extra_smbconf_options
 
 [tmp]
-        path = $ctx->{tmpdir}
+        path = $ctx->{share}
         read only = no
-        posix:sharedelay = 10000
+        posix:sharedelay = 100000
         posix:oplocktimeout = 3
         posix:writetimeupdatedelay = 500000
 
+[xcopy_share]
+        path = $ctx->{share}
+        read only = no
+        posix:sharedelay = 100000
+        posix:oplocktimeout = 3
+        posix:writetimeupdatedelay = 500000
+        create mask = 777
+        force create mode = 777
+
+[posix_share]
+        path = $ctx->{share}
+        read only = no
+        create mask = 0777
+        force create mode = 0
+        directory mask = 0777
+        force directory mode = 0
+
 [test1]
-        path = $ctx->{tmpdir}/test1
+        path = $ctx->{share}/test1
         read only = no
-        posix:sharedelay = 10000
+        posix:sharedelay = 100000
         posix:oplocktimeout = 3
-        posix:writetimeupdatedelay = 50000
+        posix:writetimeupdatedelay = 500000
 
 [test2]
-        path = $ctx->{tmpdir}/test2
+        path = $ctx->{share}/test2
         read only = no
-        posix:sharedelay = 10000
+        posix:sharedelay = 100000
         posix:oplocktimeout = 3
-        posix:writetimeupdatedelay = 50000
+        posix:writetimeupdatedelay = 500000
 
 [cifs]
+        path = $ctx->{share}/_ignore_cifs_
         read only = no
         ntvfs handler = cifs
         cifs:server = $ctx->{netbiosname}
         cifs:share = tmp
-#There is no username specified here, instead the client is expected
-#to log in with kerberos, and the serverwill use delegated credentials.
+        cifs:use-s4u2proxy = yes
+        # There is no username specified here, instead the client is expected
+        # to log in with kerberos, and the serverwill use delegated credentials.
+        # Or the server tries s4u2self/s4u2proxy to impersonate the client
 
 [simple]
-        path = $ctx->{tmpdir}
+        path = $ctx->{share}
         read only = no
         ntvfs handler = simple
 
 [sysvol]
-        path = $ctx->{lockdir}/sysvol
-        read only = yes
+        path = $ctx->{statedir}/sysvol
+        read only = no
 
 [netlogon]
-        path = $ctx->{lockdir}/sysvol/$ctx->{dnsname}/scripts
+        path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
         read only = no
 
@@ -835 +888 @@
         copy = simple
         ntvfs handler = cifsposix
+
+[vfs_fruit]
+        path = $ctx->{share}
+        vfs objects = catia fruit streams_xattr acl_xattr
+        ea support = yes
+        fruit:ressource = file
+        fruit:metadata = netatalk
+        fruit:locking = netatalk
+        fruit:encoding = native
+
+$extra_smbconf_shares
 ";
 
@@ -845 +909 @@
                 $ldap_uri = "ldapi://$ldap_uri";
                 $ctx->{ldap_uri} = $ldap_uri;
-                if ($self->{ldap} eq "fedora-ds") {
-                        $ctx->{sid_generator} = "backend";
-                }
 
                 $ctx->{ldap_instance} = lc($ctx->{netbiosname});
@@ -876 +937 @@
 }
 
-sub provision_member($$$)
+sub provision_s4member($$$)
 {
         my ($self, $prefix, $dcvars) = @_;
         print "PROVISIONING MEMBER...";
-
+        my $extra_smb_conf = "
+        passdb backend = samba_dsdb
+winbindd:use external pipes = true
+
+rpc_server:default = external
+rpc_server:svcctl = embedded
+rpc_server:srvsvc = embedded
+rpc_server:eventlog = embedded
+rpc_server:ntsvcs = embedded
+rpc_server:winreg = embedded
+rpc_server:spoolss = embedded
+rpc_daemon:spoolssd = embedded
+rpc_server:tcpip = no
+";
         my $ret = $self->provision($prefix,
                                    "member server",
-                                   "localmember",
-                                   "member3",
+                                   "s4member",
                                    "SAMBADOMAIN",
                                    "samba.example.com",
                                    "2008",
-                                   3,
                                    "locMEMpass3",
                                    $dcvars->{SERVER_IP},
-                                   "");
+                                   $dcvars->{SERVER_IPV6},
+                                   $extra_smb_conf, "", undef);
         unless ($ret) {
                 return undef;
         }
 
-        my $samba_tool = $self->bindir_path("samba-tool");
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+        my $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+                $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
+        $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
+        $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+        $cmd .= " --machinepass=machine$ret->{PASSWORD}";
+
+        unless (system($cmd) == 0) {
+                warn("Join failed\n$cmd");
+                return undef;
+        }
+
+        $ret->{MEMBER_SERVER} = $ret->{SERVER};
+        $ret->{MEMBER_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{MEMBER_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{MEMBER_NETBIOSNAME} = $ret->{NETBIOSNAME};
+        $ret->{MEMBER_USERNAME} = $ret->{USERNAME};
+        $ret->{MEMBER_PASSWORD} = $ret->{PASSWORD};
+
+        $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
+        $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
+        $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
+        $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
+
+        return $ret;
+}
+
+sub provision_rpc_proxy($$$)
+{
+        my ($self, $prefix, $dcvars) = @_;
+        print "PROVISIONING RPC PROXY...";
+
+        my $extra_smbconf_options = "
+        passdb backend = samba_dsdb
+
+        # rpc_proxy
+        dcerpc_remote:binding = ncacn_ip_tcp:$dcvars->{SERVER}
+        dcerpc endpoint servers = epmapper, remote
+        dcerpc_remote:interfaces = rpcecho
+
+[cifs_to_dc]
+        path = /tmp/_ignore_cifs_to_dc_/_none_
+        read only = no
+        ntvfs handler = cifs
+        cifs:server = $dcvars->{SERVER}
+        cifs:share = cifs
+        cifs:use-s4u2proxy = yes
+        # There is no username specified here, instead the client is expected
+        # to log in with kerberos, and the serverwill use delegated credentials.
+        # Or the server tries s4u2self/s4u2proxy to impersonate the client
+
+";
+
+        my $ret = $self->provision($prefix,
+                                   "member server",
+                                   "localrpcproxy",
+                                   "SAMBADOMAIN",
+                                   "samba.example.com",
+                                   "2008",
+                                   "locRPCproxypass4",
+                                   $dcvars->{SERVER_IP},
+                                   $dcvars->{SERVER_IPV6},
+                                   $extra_smbconf_options, "", undef);
+
+        unless ($ret) {
+                return undef;
+        }
+
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+
+        # The joind runs in the context of the rpc_proxy/member for now
+        my $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+                $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
+        $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} member";
+        $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+        $cmd .= " --machinepass=machine$ret->{PASSWORD}";
+
+        unless (system($cmd) == 0) {
+                warn("Join failed\n$cmd");
+                return undef;
+        }
+
+        # Setting up delegation runs in the context of the DC for now
+        $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+        $cmd .= "$samba_tool delegation for-any-protocol '$ret->{NETBIOSNAME}\$' on";
+        $cmd .= " $dcvars->{CONFIGURATION}";
+        print $cmd;
+
+        unless (system($cmd) == 0) {
+                warn("Delegation failed\n$cmd");
+                return undef;
+        }
+
+        # Setting up delegation runs in the context of the DC for now
+        $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$dcvars->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        $cmd .= "KRB5_CONFIG=\"$dcvars->{KRB5_CONFIG}\" ";
+        $cmd .= "$samba_tool delegation add-service '$ret->{NETBIOSNAME}\$' cifs/$dcvars->{SERVER}";
+        $cmd .= " $dcvars->{CONFIGURATION}";
+
+        unless (system($cmd) == 0) {
+                warn("Delegation failed\n$cmd");
+                return undef;
+        }
+
+        $ret->{RPC_PROXY_SERVER} = $ret->{SERVER};
+        $ret->{RPC_PROXY_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{RPC_PROXY_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{RPC_PROXY_NETBIOSNAME} = $ret->{NETBIOSNAME};
+        $ret->{RPC_PROXY_USERNAME} = $ret->{USERNAME};
+        $ret->{RPC_PROXY_PASSWORD} = $ret->{PASSWORD};
+
+        $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
+        $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
+        $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
+        $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
+
+        return $ret;
+}
+
+sub provision_promoted_dc($$$)
+{
+        my ($self, $prefix, $dcvars) = @_;
+        print "PROVISIONING PROMOTED DC...";
+
+        # We do this so that we don't run the provision.  That's the job of 'samba-tool domain dcpromo'.
+        my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
+                                               "promotedvdc",
+                                               "SAMBADOMAIN",
+                                               "samba.example.com",
+                                               "2008",
+                                               $dcvars->{PASSWORD},
+                                               $dcvars->{SERVER_IP},
+                                               $dcvars->{SERVER_IPV6});
+
+        push (@{$ctx->{provision_options}}, "--use-ntvfs");
+
+        $ctx->{smb_conf_extra_options} = "
+        max xmit = 32K
+        server max protocol = SMB2
+
+[sysvol]
+        path = $ctx->{statedir}/sysvol
+        read only = yes
+
+[netlogon]
+        path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+        read only = no
+
+";
+
+        my $ret = $self->provision_raw_step1($ctx);
+        unless ($ret) {
+                return undef;
+        }
+
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+        my $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+                $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
+        $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} MEMBER --realm=$dcvars->{REALM}";
+        $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+        $cmd .= " --machinepass=machine$ret->{PASSWORD}";
+
+        unless (system($cmd) == 0) {
+                warn("Join failed\n$cmd");
+                return undef;
+        }
+
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
         my $cmd = "";
         $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
         $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
-        $cmd .= "$samba_tool join $ret->{CONFIGURATION} $dcvars->{REALM} member";
+        $cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
         $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+        $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs --dns-backend=BIND9_DLZ";
 
         unless (system($cmd) == 0) {
@@ -908 +1174 @@
         }
 
-        $ret->{MEMBER_SERVER} = $ret->{SERVER};
-        $ret->{MEMBER_SERVER_IP} = $ret->{SERVER_IP};
-        $ret->{MEMBER_NETBIOSNAME} = $ret->{NETBIOSNAME};
-        $ret->{MEMBER_NETBIOSALIAS} = $ret->{NETBIOSALIAS};
-        $ret->{MEMBER_USERNAME} = $ret->{USERNAME};
-        $ret->{MEMBER_PASSWORD} = $ret->{PASSWORD};
+        $ret->{PROMOTED_DC_SERVER} = $ret->{SERVER};
+        $ret->{PROMOTED_DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{PROMOTED_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{PROMOTED_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
 
         $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
         $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
         $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
-        $ret->{DC_NETBIOSALIAS} = $dcvars->{DC_NETBIOSALIAS};
         $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
         $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
@@ -925 +1189 @@
 }
 
-sub provision_rpc_proxy($$$)
+sub provision_vampire_dc($$$)
 {
         my ($self, $prefix, $dcvars) = @_;
-        print "PROVISIONING RPC PROXY...";
-
-        my $extra_smbconf_options = "dcerpc_remote:binding = ncacn_ip_tcp:localdc
-       dcerpc endpoint servers = epmapper, remote
-       dcerpc_remote:interfaces = rpcecho
+        print "PROVISIONING VAMPIRE DC...";
+
+        # We do this so that we don't run the provision.  That's the job of 'net vampire'.
+        my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
+                                               "localvampiredc",
+                                               "SAMBADOMAIN",
+                                               "samba.example.com",
+                                               "2008",
+                                               $dcvars->{PASSWORD},
+                                               $dcvars->{SERVER_IP},
+                                               $dcvars->{SERVER_IPV6});
+
+        push (@{$ctx->{provision_options}}, "--use-ntvfs");
+
+        $ctx->{smb_conf_extra_options} = "
+        max xmit = 32K
+        server max protocol = SMB2
+
+[sysvol]
+        path = $ctx->{statedir}/sysvol
+        read only = yes
+
+[netlogon]
+        path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+        read only = no
+
 ";
 
+        my $ret = $self->provision_raw_step1($ctx);
+        unless ($ret) {
+                return undef;
+        }
+
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+        my $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+                $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
+        $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
+        $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only";
+        $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
+
+        unless (system($cmd) == 0) {
+                warn("Join failed\n$cmd");
+                return undef;
+        }
+
+        $ret->{VAMPIRE_DC_SERVER} = $ret->{SERVER};
+        $ret->{VAMPIRE_DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{VAMPIRE_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{VAMPIRE_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+
+        $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
+        $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
+        $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
+        $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
+        $ret->{DC_REALM} = $dcvars->{DC_REALM};
+
+        return $ret;
+}
+
+sub provision_subdom_dc($$$)
+{
+        my ($self, $prefix, $dcvars) = @_;
+        print "PROVISIONING SUBDOMAIN DC...";
+
+        # We do this so that we don't run the provision.  That's the job of 'net vampire'.
+        my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
+                                               "localsubdc",
+                                               "SAMBASUBDOM",
+                                               "sub.samba.example.com",
+                                               "2008",
+                                               $dcvars->{PASSWORD},
+                                               undef);
+
+        push (@{$ctx->{provision_options}}, "--use-ntvfs");
+
+        $ctx->{smb_conf_extra_options} = "
+        max xmit = 32K
+        server max protocol = SMB2
+
+[sysvol]
+        path = $ctx->{statedir}/sysvol
+        read only = yes
+
+[netlogon]
+        path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+        read only = no
+
+";
+
+        my $ret = $self->provision_raw_step1($ctx);
+        unless ($ret) {
+                return undef;
+        }
+
+        Samba::mk_krb5_conf($ctx);
+
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+        my $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+                $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
+        $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{dnsname} subdomain ";
+        $cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
+        $cmd .= " --machinepass=machine$ret->{PASSWORD} --use-ntvfs";
+        $cmd .= " --adminpass=$ret->{PASSWORD}";
+
+        unless (system($cmd) == 0) {
+                warn("Join failed\n$cmd");
+                return undef;
+        }
+
+        $ret->{SUBDOM_DC_SERVER} = $ret->{SERVER};
+        $ret->{SUBDOM_DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{SUBDOM_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{SUBDOM_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+
+        $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
+        $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
+        $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
+        $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
+
+        return $ret;
+}
+
+sub provision_ad_dc_ntvfs($$)
+{
+        my ($self, $prefix) = @_;
+
+        # We keep the old 'winbind' name here in server services to
+        # ensure upgrades which used that name still work with the now
+        # alias.
+
+        print "PROVISIONING AD DC (NTVFS)...";
+        my $extra_conf_options = "netbios aliases = localDC1-a
+        server services = +winbind -winbindd
+        ldap server require strong auth = allow_sasl_over_tls
+        ";
         my $ret = $self->provision($prefix,
-                                   "member server",
-                                   "localrpcproxy",
-                                   "rpcproxy4",
+                                   "domain controller",
+                                   "localdc",
                                    "SAMBADOMAIN",
                                    "samba.example.com",
                                    "2008",
-                                   4,
-                                   "locRPCproxypass4",
-                                   $dcvars->{SERVER_IP},
-                                   $extra_smbconf_options);
-
-        unless ($ret) {
-                return undef;
-        }
-
-        my $samba_tool = $self->bindir_path("samba-tool");
-        my $cmd = "";
-        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
-        $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
-        $cmd .= "$samba_tool join $ret->{CONFIGURATION} $dcvars->{REALM} member";
-        $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
-
-        unless (system($cmd) == 0) {
-                warn("Join failed\n$cmd");
-                return undef;
-        }
-
-        $ret->{RPC_PROXY_SERVER} = $ret->{SERVER};
-        $ret->{RPC_PROXY_SERVER_IP} = $ret->{SERVER_IP};
-        $ret->{RPC_PROXY_NETBIOSNAME} = $ret->{NETBIOSNAME};
-        $ret->{RPC_PROXY_NETBIOSALIAS} = $ret->{NETBIOSALIAS};
-        $ret->{RPC_PROXY_USERNAME} = $ret->{USERNAME};
-        $ret->{RPC_PROXY_PASSWORD} = $ret->{PASSWORD};
+                                   "locDCpass1",
+                                   undef,
+                                   undef,
+                                   $extra_conf_options,
+                                   "",
+                                   undef);
+
+        return undef unless(defined $ret);
+        unless($self->add_wins_config("$prefix/private")) {
+                warn("Unable to add wins configuration");
+                return undef;
+        }
+        $ret->{NETBIOSALIAS} = "localdc1-a";
+        $ret->{DC_SERVER} = $ret->{SERVER};
+        $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+        $ret->{DC_USERNAME} = $ret->{USERNAME};
+        $ret->{DC_PASSWORD} = $ret->{PASSWORD};
+        $ret->{DC_REALM} = $ret->{REALM};
 
         return $ret;
 }
 
-sub provision_vampire_dc($$$)
+sub provision_fl2000dc($$)
+{
+        my ($self, $prefix) = @_;
+
+        print "PROVISIONING DC WITH FOREST LEVEL 2000...";
+        my $extra_conf_options = "
+        spnego:simulate_w2k=yes
+        ntlmssp_server:force_old_spnego=yes
+";
+        my $ret = $self->provision($prefix,
+                                   "domain controller",
+                                   "dc5",
+                                   "SAMBA2000",
+                                   "samba2000.example.com",
+                                   "2000",
+                                   "locDCpass5",
+                                   undef,
+                                   undef,
+                                   $extra_conf_options,
+                                   "",
+                                   undef);
+
+        unless($self->add_wins_config("$prefix/private")) {
+                warn("Unable to add wins configuration");
+                return undef;
+        }
+        $ret->{DC_SERVER} = $ret->{SERVER};
+        $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+        $ret->{DC_USERNAME} = $ret->{USERNAME};
+        $ret->{DC_PASSWORD} = $ret->{PASSWORD};
+        $ret->{DC_REALM} = $ret->{REALM};
+
+        return $ret;
+}
+
+sub provision_fl2003dc($$$)
 {
         my ($self, $prefix, $dcvars) = @_;
-        print "PROVISIONING VAMPIRE DC...";
-
-        # We do this so that we don't run the provision.  That's the job of 'net vampire'.
+
+        print "PROVISIONING DC WITH FOREST LEVEL 2003...";
+        my $extra_conf_options = "allow dns updates = nonsecure and secure";
+        my $ret = $self->provision($prefix,
+                                   "domain controller",
+                                   "dc6",
+                                   "SAMBA2003",
+                                   "samba2003.example.com",
+                                   "2003",
+                                   "locDCpass6",
+                                   undef,
+                                   undef,
+                                   $extra_conf_options,
+                                   "",
+                                   undef);
+
+        unless (defined $ret) {
+                return undef;
+        }
+
+        $ret->{DC_SERVER} = $ret->{SERVER};
+        $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+        $ret->{DC_USERNAME} = $ret->{USERNAME};
+        $ret->{DC_PASSWORD} = $ret->{PASSWORD};
+
+        my @samba_tool_options;
+        push (@samba_tool_options, Samba::bindir_path($self, "samba-tool"));
+        push (@samba_tool_options, "domain");
+        push (@samba_tool_options, "passwordsettings");
+        push (@samba_tool_options, "set");
+        push (@samba_tool_options, "--configfile=$ret->{SERVERCONFFILE}");
+        push (@samba_tool_options, "--min-pwd-age=0");
+        push (@samba_tool_options, "--history-length=1");
+
+        my $samba_tool_cmd = join(" ", @samba_tool_options);
+
+        unless (system($samba_tool_cmd) == 0) {
+                warn("Unable to set min password age to 0: \n$samba_tool_cmd\n");
+                return undef;
+        }
+
+        return $ret;
+
+        unless($self->add_wins_config("$prefix/private")) {
+                warn("Unable to add wins configuration");
+                return undef;
+        }
+
+        return $ret;
+}
+
+sub provision_fl2008r2dc($$$)
+{
+        my ($self, $prefix, $dcvars) = @_;
+
+        print "PROVISIONING DC WITH FOREST LEVEL 2008r2...";
+        my $extra_conf_options = "ldap server require strong auth = no";
+        my $ret = $self->provision($prefix,
+                                   "domain controller",
+                                   "dc7",
+                                   "SAMBA2008R2",
+                                   "samba2008R2.example.com",
+                                   "2008_R2",
+                                   "locDCpass7",
+                                   undef,
+                                   undef,
+                                   $extra_conf_options,
+                                   "",
+                                   undef);
+
+        unless ($self->add_wins_config("$prefix/private")) {
+                warn("Unable to add wins configuration");
+                return undef;
+        }
+        $ret->{DC_SERVER} = $ret->{SERVER};
+        $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+        $ret->{DC_USERNAME} = $ret->{USERNAME};
+        $ret->{DC_PASSWORD} = $ret->{PASSWORD};
+        $ret->{DC_REALM} = $ret->{REALM};
+
+        return $ret;
+}
+
+
+sub provision_rodc($$$)
+{
+        my ($self, $prefix, $dcvars) = @_;
+        print "PROVISIONING RODC...";
+
+        # We do this so that we don't run the provision.  That's the job of 'net join RODC'.
         my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
-                                               "localvampiredc",
-                                               "dc2",
+                                               "rodc",
                                                "SAMBADOMAIN",
                                                "samba.example.com",
                                                "2008",
-                                               2, $dcvars->{PASSWORD},
-                                               $dcvars->{SERVER_IP});
+                                               $dcvars->{PASSWORD},
+                                               $dcvars->{SERVER_IP},
+                                               $dcvars->{SERVER_IPV6});
+        unless ($ctx) {
+                return undef;
+        }
+
+        push (@{$ctx->{provision_options}}, "--use-ntvfs");
+
+        $ctx->{share} = "$ctx->{prefix_abs}/share";
+        push(@{$ctx->{directories}}, "$ctx->{share}");
 
         $ctx->{smb_conf_extra_options} = "
@@ -993 +1529 @@
 
 [sysvol]
-        path = $ctx->{lockdir}/sysvol
+        path = $ctx->{statedir}/sysvol
         read only = yes
 
 [netlogon]
-        path = $ctx->{lockdir}/sysvol/$ctx->{dnsname}/scripts
-        read only = no
-
-";
-
-        my $ret = $self->provision_raw_step1($ctx);
-        unless ($ret) {
-                return undef;
-        }
-
-        my $samba_tool = $self->bindir_path("samba-tool");
-        my $cmd = "";
-        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
-        $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
-        $cmd .= "$samba_tool join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
-        $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
-
-        unless (system($cmd) == 0) {
-                warn("Join failed\n$cmd");
-                return undef;
-        }
-
-        $ret->{VAMPIRE_DC_SERVER} = $ret->{SERVER};
-        $ret->{VAMPIRE_DC_SERVER_IP} = $ret->{SERVER_IP};
-        $ret->{VAMPIRE_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
-        $ret->{VAMPIRE_DC_NETBIOSALIAS} = $ret->{NETBIOSALIAS};
-
-        $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
-        $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
-        $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
-        $ret->{DC_NETBIOSALIAS} = $dcvars->{DC_NETBIOSALIAS};
-        $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
-        $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
-
-        return $ret;
-}
-
-sub provision_dc($$)
-{
-        my ($self, $prefix) = @_;
-
-        print "PROVISIONING DC...";
-        my $ret = $self->provision($prefix,
-                                   "domain controller",
-                                   "localdc",
-                                   "dc1",
-                                   "SAMBADOMAIN",
-                                   "samba.example.com",
-                                   "2008",
-                                   1,
-                                   "locDCpass1",
-                                   "127.0.0.1", "");
-
-        return undef unless(defined $ret);
-        unless($self->add_wins_config("$prefix/private")) {
-                warn("Unable to add wins configuration");
-                return undef;
-        }
-
-        $ret->{DC_SERVER} = $ret->{SERVER};
-        $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
-        $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
-        $ret->{DC_NETBIOSALIAS} = $ret->{NETBIOSALIAS};
-        $ret->{DC_USERNAME} = $ret->{USERNAME};
-        $ret->{DC_PASSWORD} = $ret->{PASSWORD};
-
-        return $ret;
-}
-
-sub provision_fl2000dc($$)
-{
-        my ($self, $prefix) = @_;
-
-        print "PROVISIONING DC...";
-        my $ret = $self->provision($prefix,
-                                   "domain controller",
-                                   "dc5",
-                                   "localfl2000dc",
-                                   "SAMBA2000",
-                                   "samba2000.example.com",
-                                   "2000",
-                                   5,
-                                   "locDCpass5",
-                                   "127.0.0.5", "");
-
-        unless($self->add_wins_config("$prefix/private")) {
-                warn("Unable to add wins configuration");
-                return undef;
-        }
-
-        return $ret;
-}
-
-sub provision_fl2003dc($$)
-{
-        my ($self, $prefix) = @_;
-
-        print "PROVISIONING DC...";
-        my $ret = $self->provision($prefix,
-                                   "domain controller",
-                                   "dc6",
-                                   "localfl2003dc",
-                                   "SAMBA2003",
-                                   "samba2003.example.com",
-                                   "2003",
-                                   6,
-                                   "locDCpass6",
-                                   "127.0.0.6", "");
-
-        unless($self->add_wins_config("$prefix/private")) {
-                warn("Unable to add wins configuration");
-                return undef;
-        }
-
-        return $ret;
-}
-
-sub provision_fl2008r2dc($$)
-{
-        my ($self, $prefix) = @_;
-
-        print "PROVISIONING DC...";
-        my $ret = $self->provision($prefix,
-                                   "domain controller",
-                                   "dc7",
-                                   "localfl2000r2dc",
-                                   "SAMBA2008R2",
-                                   "samba2008R2.example.com",
-                                   "2008_R2",
-                                   7,
-                                   "locDCpass7",
-                                   "127.0.0.7", "");
-
-        unless ($self->add_wins_config("$prefix/private")) {
-                warn("Unable to add wins configuration");
-                return undef;
-        }
-
-        return $ret;
-}
-
-
-sub provision_rodc($$$)
-{
-        my ($self, $prefix, $dcvars) = @_;
-        print "PROVISIONING RODC...";
-
-        # We do this so that we don't run the provision.  That's the job of 'net join RODC'.
-        my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
-                                               "rodc",
-                                               "dc8",
-                                               "SAMBADOMAIN",
-                                               "samba.example.com",
-                                               "2008",
-                                               8, $dcvars->{PASSWORD},
-                                               $dcvars->{SERVER_IP});
-        unless ($ctx) {
-                return undef;
-        }
-
-        $ctx->{tmpdir} = "$ctx->{prefix_abs}/tmp";
-        push(@{$ctx->{directories}}, "$ctx->{tmpdir}");
-
-        $ctx->{smb_conf_extra_options} = "
-        max xmit = 32K
-        server max protocol = SMB2
-
-[sysvol]
-        path = $ctx->{lockdir}/sysvol
+        path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
         read only = yes
 
-[netlogon]
-        path = $ctx->{lockdir}/sysvol/$ctx->{dnsname}/scripts
-        read only = yes
-
 [tmp]
-        path = $ctx->{tmpdir}
+        path = $ctx->{share}
         read only = no
         posix:sharedelay = 10000
         posix:oplocktimeout = 3
-        posix:writetimeupdatedelay = 500000
+        posix:writetimeupdatedelay = 50000
 
 ";
@@ -1186 +1550 @@
         }
 
-        my $samba_tool = $self->bindir_path("samba-tool");
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
         my $cmd = "";
         $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+        if (defined($ret->{RESOLV_WRAPPER_CONF})) {
+                $cmd .= "RESOLV_WRAPPER_CONF=\"$ret->{RESOLV_WRAPPER_CONF}\" ";
+        } else {
+                $cmd .= "RESOLV_WRAPPER_HOSTS=\"$ret->{RESOLV_WRAPPER_HOSTS}\" ";
+        }
         $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
-        $cmd .= "$samba_tool join $ret->{CONFIGURATION} $dcvars->{REALM} RODC";
+        $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} RODC";
         $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+        $cmd .= " --server=$dcvars->{DC_SERVER} --use-ntvfs";
+
+        unless (system($cmd) == 0) {
+                warn("RODC join failed\n$cmd");
+                return undef;
+        }
+
+        # This ensures deterministic behaviour for tests that want to have the 'testallowed account'
+        # user password verified on the RODC
+        my $testallowed_account = "testallowed account";
+        $cmd = "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+        $cmd .= "$samba_tool rodc preload '$testallowed_account' $ret->{CONFIGURATION}";
         $cmd .= " --server=$dcvars->{DC_SERVER}";
 
@@ -1203 +1584 @@
         # the proxy code
         $ctx->{kdc_ipv4} = $ret->{SERVER_IP};
-        $self->mk_krb5_conf($ctx);
+        $ctx->{kdc_ipv6} = $ret->{SERVER_IPV6};
+        Samba::mk_krb5_conf($ctx);
 
         $ret->{RODC_DC_SERVER} = $ret->{SERVER};
         $ret->{RODC_DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{RODC_DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
         $ret->{RODC_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
-        $ret->{RODC_DC_NETBIOSALIAS} = $ret->{NETBIOSALIAS};
 
         $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
         $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $dcvars->{DC_SERVER_IPV6};
         $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
-        $ret->{DC_NETBIOSALIAS} = $dcvars->{DC_NETBIOSALIAS};
         $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
         $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
@@ -1220 +1602 @@
 }
 
+sub provision_ad_dc($$)
+{
+        my ($self, $prefix) = @_;
+
+        my $prefix_abs = abs_path($prefix);
+
+        my $bindir_abs = abs_path($self->{bindir});
+        my $lockdir="$prefix_abs/lockdir";
+        my $conffile="$prefix_abs/etc/smb.conf";
+
+        my $extra_smbconf_options = "
+        server services = -smb +s3fs
+        xattr_tdb:file = $prefix_abs/statedir/xattr.tdb
+
+        dbwrap_tdb_mutexes:* = yes
+
+        kernel oplocks = no
+        kernel change notify = no
+
+        logging = file
+        printing = bsd
+        printcap name = /dev/null
+
+        max protocol = SMB3
+        read only = no
+        server signing = auto
+
+        smbd:sharedelay = 100000
+        smbd:writetimeupdatedelay = 500000
+        create mask = 755
+        dos filemode = yes
+
+        dcerpc endpoint servers = -winreg -srvsvc
+
+        printcap name = /dev/null
+
+        addprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -a -s $conffile --
+        deleteprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -d -s $conffile --
+
+        printing = vlp
+        print command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb print %p %s
+        lpq command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpq %p
+        lp rm command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lprm %p %j
+        lp pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lppause %p %j
+        lp resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpresume %p %j
+        queue pause command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queuepause %p
+        queue resume command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb queueresume %p
+        lpq cache time = 0
+        print notify backchannel = yes
+";
+
+        my $extra_smbconf_shares = "
+
+[tmpenc]
+        copy = tmp
+        smb encrypt = required
+
+[tmpcase]
+        copy = tmp
+        case sensitive = yes
+
+[tmpguest]
+        copy = tmp
+        guest ok = yes
+
+[hideunread]
+        copy = tmp
+        hide unreadable = yes
+
+[durable]
+        copy = tmp
+        kernel share modes = no
+        kernel oplocks = no
+        posix locking = no
+
+[print\$]
+        copy = tmp
+
+[print1]
+        copy = tmp
+        printable = yes
+
+[print2]
+        copy = print1
+[print3]
+        copy = print1
+[lp]
+        copy = print1
+";
+
+        print "PROVISIONING AD DC...";
+        my $ret = $self->provision($prefix,
+                                   "domain controller",
+                                   "addc",
+                                   "ADDOMAIN",
+                                   "addom.samba.example.com",
+                                   "2008",
+                                   "locDCpass1",
+                                   undef,
+                                   undef,
+                                   $extra_smbconf_options,
+                                   $extra_smbconf_shares,
+                                   undef);
+
+        return undef unless(defined $ret);
+        unless($self->add_wins_config("$prefix/private")) {
+                warn("Unable to add wins configuration");
+                return undef;
+        }
+
+        $ret->{DC_SERVER} = $ret->{SERVER};
+        $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+        $ret->{DC_USERNAME} = $ret->{USERNAME};
+        $ret->{DC_PASSWORD} = $ret->{PASSWORD};
+
+        return $ret;
+}
+
+sub provision_chgdcpass($$)
+{
+        my ($self, $prefix) = @_;
+
+        print "PROVISIONING CHGDCPASS...";
+        my $extra_provision_options = undef;
+        push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
+        my $ret = $self->provision($prefix,
+                                   "domain controller",
+                                   "chgdcpass",
+                                   "CHDCDOMAIN",
+                                   "chgdcpassword.samba.example.com",
+                                   "2008",
+                                   "chgDCpass1",
+                                   undef,
+                                   undef,
+                                   "",
+                                   "",
+                                   $extra_provision_options);
+
+        return undef unless(defined $ret);
+        unless($self->add_wins_config("$prefix/private")) {
+                warn("Unable to add wins configuration");
+                return undef;
+        }
+        
+        # Remove secrets.tdb from this environment to test that we
+        # still start up on systems without the new matching
+        # secrets.tdb records.
+        unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb") || unlink("$ret->{PRIVATEDIR}/secrets.ntdb")) {
+                warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
+                return undef;
+        }
+            
+        $ret->{DC_SERVER} = $ret->{SERVER};
+        $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
+        $ret->{DC_SERVER_IPV6} = $ret->{SERVER_IPV6};
+        $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+        $ret->{DC_USERNAME} = $ret->{USERNAME};
+        $ret->{DC_PASSWORD} = $ret->{PASSWORD};
+
+        return $ret;
+}
+
 sub teardown_env($$)
 {
@@ -1225 +1771 @@
         my $pid;
 
-        close(DATA);
-
-        if (open(IN, "<$envvars->{PIDDIR}/samba.pid")) {
-                $pid = <IN>;
-                close(IN);
-
-                # Give the process 20 seconds to exit.  gcov needs
-                # this time to write out the covarge data
-                my $count = 0;
-                until (kill(0, $pid) == 0) {
-                        # if no process sucessfully signalled, then we are done
-                        sleep(1);
-                        $count++;
-                        last if $count > 20;
-                }
-
-                # If it is still around, kill it
-                if ($count > 20) {
-                        print "server process $pid took more than $count seconds to exit, killing\n";
-                        kill 9, $pid;
-                }
-        }
-
-        my $failed = $? >> 8;
+        # This should cause samba to terminate gracefully
+        close($envvars->{STDIN_PIPE});
+
+        $pid = $envvars->{SAMBA_PID};
+        my $count = 0;
+        my $childpid;
+
+        # This should give it time to write out the gcov data
+        until ($count > 30) {
+            if (Samba::cleanup_child($pid, "samba") == -1) {
+                last;
+            }
+            sleep(1);
+            $count++;
+        }
+
+        if ($count > 30 || kill(0, $pid)) {
+            kill "TERM", $pid;
+
+            until ($count > 40) {
+                if (Samba::cleanup_child($pid, "samba") == -1) {
+                    last;
+                }
+                sleep(1);
+                $count++;
+            }
+            # If it is still around, kill it
+            warn "server process $pid took more than $count seconds to exit, killing\n";
+            kill 9, $pid;
+        }
 
         $self->slapd_stop($envvars) if ($self->{ldap});
@@ -1254 +1806 @@
         print $self->getlog_env($envvars);
 
-        return $failed;
+        return;
 }
 
@@ -1280 +1832 @@
 {
         my ($self, $envvars) = @_;
-
-        return (-p $envvars->{SAMBA_TEST_FIFO});
+        my $samba_pid = $envvars->{SAMBA_PID};
+
+        if (not defined($samba_pid)) {
+            return 0;
+        } elsif ($samba_pid > 0) {
+            my $childpid = Samba::cleanup_child($samba_pid, "samba");
+
+            if ($childpid == 0) {
+                return 1;
+            }
+            return 0;
+        } else {
+            return 1;
+        }
+
 }
 
@@ -1287 +1852 @@
 {
         my ($self, $envname, $path) = @_;
+        my $target3 = $self->{target3};
 
         $ENV{ENVNAME} = $envname;
 
-        if ($envname eq "dc") {
-                return $self->setup_dc("$path/dc");
+        if (defined($self->{vars}->{$envname})) {
+                return $self->{vars}->{$envname};
+        }
+
+        if ($envname eq "ad_dc_ntvfs") {
+                return $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
         } elsif ($envname eq "fl2000dc") {
                 return $self->setup_fl2000dc("$path/fl2000dc");
         } elsif ($envname eq "fl2003dc") {
-                return $self->setup_fl2003dc("$path/fl2003dc");
+                if (not defined($self->{vars}->{ad_dc})) {
+                        $self->setup_ad_dc("$path/ad_dc");
+                }
+                return $self->setup_fl2003dc("$path/fl2003dc", $self->{vars}->{ad_dc});
         } elsif ($envname eq "fl2008r2dc") {
-                return $self->setup_fl2008r2dc("$path/fl2008r2dc");
+                if (not defined($self->{vars}->{ad_dc})) {
+                        $self->setup_ad_dc("$path/ad_dc");
+                }
+                return $self->setup_fl2008r2dc("$path/fl2008r2dc", $self->{vars}->{ad_dc});
         } elsif ($envname eq "rpc_proxy") {
-                if (not defined($self->{vars}->{dc})) {
-                        $self->setup_dc("$path/dc");
-                }
-                return $self->setup_rpc_proxy("$path/rpc_proxy", $self->{vars}->{dc});
+                if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+                        $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+                }
+                return $self->setup_rpc_proxy("$path/rpc_proxy", $self->{vars}->{ad_dc_ntvfs});
         } elsif ($envname eq "vampire_dc") {
-                if (not defined($self->{vars}->{dc})) {
-                        $self->setup_dc("$path/dc");
-                }
-                return $self->setup_vampire_dc("$path/vampire_dc", $self->{vars}->{dc});
-        } elsif ($envname eq "member") {
-                if (not defined($self->{vars}->{dc})) {
-                        $self->setup_dc("$path/dc");
-                }
-                return $self->setup_member("$path/member", $self->{vars}->{dc});
+                if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+                        $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+                }
+                return $self->setup_vampire_dc("$path/vampire_dc", $self->{vars}->{ad_dc_ntvfs});
+        } elsif ($envname eq "promoted_dc") {
+                if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+                        $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+                }
+                return $self->setup_promoted_dc("$path/promoted_dc", $self->{vars}->{ad_dc_ntvfs});
+        } elsif ($envname eq "subdom_dc") {
+                if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+                        $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+                }
+                return $self->setup_subdom_dc("$path/subdom_dc", $self->{vars}->{ad_dc_ntvfs});
+        } elsif ($envname eq "s4member") {
+                if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+                        $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+                }
+                return $self->setup_s4member("$path/s4member", $self->{vars}->{ad_dc_ntvfs});
         } elsif ($envname eq "rodc") {
-                if (not defined($self->{vars}->{dc})) {
-                        $self->setup_dc("$path/dc");
-                }
-                return $self->setup_rodc("$path/rodc", $self->{vars}->{dc});
-        } elsif ($envname eq "all") {
-                if (not defined($self->{vars}->{dc})) {
-                        $ENV{ENVNAME} = "dc";
-                        $self->setup_dc("$path/dc");
-                }
-                my $ret = $self->setup_member("$path/member", $self->{vars}->{dc});
-                if (not defined($self->{vars}->{rpc_proxy})) {
-                        $ENV{ENVNAME} = "rpc_proxy";
-                        my $rpc_proxy_ret = $self->setup_rpc_proxy("$path/rpc_proxy", $self->{vars}->{dc});
-                        
-                        $ret->{RPC_PROXY_SERVER} = $rpc_proxy_ret->{SERVER};
-                        $ret->{RPC_PROXY_SERVER_IP} = $rpc_proxy_ret->{SERVER_IP};
-                        $ret->{RPC_PROXY_NETBIOSNAME} = $rpc_proxy_ret->{NETBIOSNAME};
-                        $ret->{RPC_PROXY_NETBIOSALIAS} = $rpc_proxy_ret->{NETBIOSALIAS};
-                        $ret->{RPC_PROXY_USERNAME} = $rpc_proxy_ret->{USERNAME};
-                        $ret->{RPC_PROXY_PASSWORD} = $rpc_proxy_ret->{PASSWORD};
-                }
-                if (not defined($self->{vars}->{fl2000dc})) {
-                        $ENV{ENVNAME} = "fl2000dc";
-                        my $fl2000dc_ret = $self->setup_fl2000dc("$path/fl2000dc", $self->{vars}->{dc});
-                        
-                        $ret->{FL2000DC_SERVER} = $fl2000dc_ret->{SERVER};
-                        $ret->{FL2000DC_SERVER_IP} = $fl2000dc_ret->{SERVER_IP};
-                        $ret->{FL2000DC_NETBIOSNAME} = $fl2000dc_ret->{NETBIOSNAME};
-                        $ret->{FL2000DC_NETBIOSALIAS} = $fl2000dc_ret->{NETBIOSALIAS};
-                        $ret->{FL2000DC_USERNAME} = $fl2000dc_ret->{USERNAME};
-                        $ret->{FL2000DC_PASSWORD} = $fl2000dc_ret->{PASSWORD};
-                }
-                if (not defined($self->{vars}->{fl2003dc})) {
-                        $ENV{ENVNAME} = "fl2003dc";
-                        my $fl2003dc_ret = $self->setup_fl2003dc("$path/fl2003dc", $self->{vars}->{dc});
-
-                        $ret->{FL2003DC_SERVER} = $fl2003dc_ret->{SERVER};
-                        $ret->{FL2003DC_SERVER_IP} = $fl2003dc_ret->{SERVER_IP};
-                        $ret->{FL2003DC_NETBIOSNAME} = $fl2003dc_ret->{NETBIOSNAME};
-                        $ret->{FL2003DC_NETBIOSALIAS} = $fl2003dc_ret->{NETBIOSALIAS};
-                        $ret->{FL2003DC_USERNAME} = $fl2003dc_ret->{USERNAME};
-                        $ret->{FL2003DC_PASSWORD} = $fl2003dc_ret->{PASSWORD};
-                }
-                if (not defined($self->{vars}->{fl2008r2dc})) {
-                        $ENV{ENVNAME} = "fl2008r2dc";
-                        my $fl2008r2dc_ret = $self->setup_fl2008r2dc("$path/fl2008r2dc", $self->{vars}->{dc});
-
-                        $ret->{FL2008R2DC_SERVER} = $fl2008r2dc_ret->{SERVER};
-                        $ret->{FL2008R2DC_SERVER_IP} = $fl2008r2dc_ret->{SERVER_IP};
-                        $ret->{FL2008R2DC_NETBIOSNAME} = $fl2008r2dc_ret->{NETBIOSNAME};
-                        $ret->{FL2008R2DC_NETBIOSALIAS} = $fl2008r2dc_ret->{NETBIOSALIAS};
-                        $ret->{FL2008R2DC_USERNAME} = $fl2008r2dc_ret->{USERNAME};
-                        $ret->{FL2008R2DC_PASSWORD} = $fl2008r2dc_ret->{PASSWORD};
-                }
-                return $ret;
+                if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+                        $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+                }
+                return $self->setup_rodc("$path/rodc", $self->{vars}->{ad_dc_ntvfs});
+        } elsif ($envname eq "chgdcpass") {
+                return $self->setup_chgdcpass("$path/chgdcpass", $self->{vars}->{chgdcpass});
+        } elsif ($envname eq "ad_member") {
+                if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+                        $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+                }
+                return $target3->setup_admember("$path/ad_member", $self->{vars}->{ad_dc_ntvfs}, 29);
+        } elsif ($envname eq "ad_dc") {
+                return $self->setup_ad_dc("$path/ad_dc");
+        } elsif ($envname eq "ad_dc_no_nss") {
+                return $self->setup_ad_dc("$path/ad_dc_no_nss", "no_nss");
+        } elsif ($envname eq "ad_member_rfc2307") {
+                if (not defined($self->{vars}->{ad_dc_ntvfs})) {
+                        $self->setup_ad_dc_ntvfs("$path/ad_dc_ntvfs");
+                }
+                return $target3->setup_admember_rfc2307("$path/ad_member_rfc2307",
+                                                        $self->{vars}->{ad_dc_ntvfs}, 34);
+        } elsif ($envname eq "none") {
+                return $self->setup_none("$path/none");
         } else {
-                warn("Samba4 can't provide environment '$envname'");
-                return undef;
-        }
-}
-
-sub setup_member($$$)
+                return "UNKNOWN";
+        }
+}
+
+sub setup_s4member($$$)
 {
         my ($self, $path, $dc_vars) = @_;
 
-        my $env = $self->provision_member($path, $dc_vars);
+        my $env = $self->provision_s4member($path, $dc_vars);
 
         if (defined $env) {
-                $self->check_or_start($env, ($ENV{SMBD_MAXTIME} or 7500));
-
-                $self->wait_for_start($env);
-
-                $self->{vars}->{member} = $env;
+                if (not defined($self->check_or_start($env, "single"))) {
+                        return undef;
+                }
+
+                $self->{vars}->{s4member} = $env;
         }
 
@@ -1399 +1952 @@
 
         if (defined $env) {
-                $self->check_or_start($env, ($ENV{SMBD_MAXTIME} or 7500));
-
-                $self->wait_for_start($env);
+                if (not defined($self->check_or_start($env, "single"))) {
+                        return undef;
+                }
 
                 $self->{vars}->{rpc_proxy} = $env;
@@ -1408 +1961 @@
 }
 
-sub setup_dc($$)
+sub setup_ad_dc_ntvfs($$)
 {
         my ($self, $path) = @_;
 
-        my $env = $self->provision_dc($path);
+        my $env = $self->provision_ad_dc_ntvfs($path);
         if (defined $env) {
-                $self->check_or_start($env,
-                        ($ENV{SMBD_MAXTIME} or 7500));
-
-                $self->wait_for_start($env);
-
-                $self->{vars}->{dc} = $env;
+                if (not defined($self->check_or_start($env, "standard"))) {
+                    warn("Failed to start ad_dc_ntvfs");
+                        return undef;
+                }
+
+                $self->{vars}->{ad_dc_ntvfs} = $env;
+        }
+        return $env;
+}
+
+sub setup_chgdcpass($$)
+{
+        my ($self, $path) = @_;
+
+        my $env = $self->provision_chgdcpass($path);
+        if (defined $env) {
+                if (not defined($self->check_or_start($env, "single"))) {
+                        return undef;
+                }
+
+                $self->{vars}->{chgdcpass} = $env;
         }
         return $env;
@@ -1430 +1998 @@
         my $env = $self->provision_fl2000dc($path);
         if (defined $env) {
-                $self->check_or_start($env,
-                        ($ENV{SMBD_MAXTIME} or 7500));
-
-                $self->wait_for_start($env);
+                if (not defined($self->check_or_start($env, "single"))) {
+                        return undef;
+                }
 
                 $self->{vars}->{fl2000dc} = $env;
@@ -1441 +2008 @@
 }
 
-sub setup_fl2003dc($$)
-{
-        my ($self, $path) = @_;
+sub setup_fl2003dc($$$)
+{
+        my ($self, $path, $dc_vars) = @_;
 
         my $env = $self->provision_fl2003dc($path);
 
         if (defined $env) {
-                $self->check_or_start($env,
-                        ($ENV{SMBD_MAXTIME} or 7500));
-
-                $self->wait_for_start($env);
+                if (not defined($self->check_or_start($env, "single"))) {
+                        return undef;
+                }
+
+                $env = $self->setup_trust($env, $dc_vars, "external", "--no-aes-keys");
 
                 $self->{vars}->{fl2003dc} = $env;
@@ -1458 +2026 @@
 }
 
-sub setup_fl2008r2dc($$)
-{
-        my ($self, $path) = @_;
+sub setup_fl2008r2dc($$$)
+{
+        my ($self, $path, $dc_vars) = @_;
 
         my $env = $self->provision_fl2008r2dc($path);
 
         if (defined $env) {
-                $self->check_or_start($env,
-                        ($ENV{SMBD_MAXTIME} or 7500));
-
-                $self->wait_for_start($env);
+                if (not defined($self->check_or_start($env, "single"))) {
+                        return undef;
+                }
+
+                my $upn_array = ["$env->{REALM}.upn"];
+                my $spn_array = ["$env->{REALM}.spn"];
+
+                $self->setup_namespaces($env, $upn_array, $spn_array);
+
+                $env = $self->setup_trust($env, $dc_vars, "forest", "");
 
                 $self->{vars}->{fl2008r2dc} = $env;
@@ -1483 +2057 @@
 
         if (defined $env) {
-                $self->check_or_start($env,
-                        ($ENV{SMBD_MAXTIME} or 7500));
-
-                $self->wait_for_start($env);
+                if (not defined($self->check_or_start($env, "single"))) {
+                        return undef;
+                }
 
                 $self->{vars}->{vampire_dc} = $env;
@@ -1492 +2065 @@
                 # force replicated DC to update repsTo/repsFrom
                 # for vampired partitions
-                my $samba_tool = $self->bindir_path("samba-tool");
+                my $samba_tool =  Samba::bindir_path($self, "samba-tool");
                 my $cmd = "";
-                $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+                $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+                if (defined($env->{RESOLV_WRAPPER_CONF})) {
+                        $cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
+                } else {
+                        $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
+                }
                 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
-                $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
+                $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}";
+                $cmd .= " $env->{CONFIGURATION}";
                 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
                 unless (system($cmd) == 0) {
@@ -1506 +2085 @@
                 # we need to synchronize data between DCs
                 my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
-                $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+                $cmd = "";
+                $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+                if (defined($env->{RESOLV_WRAPPER_CONF})) {
+                        $cmd .= "RESOLV_WRAPPER_CONF=\"$env->{RESOLV_WRAPPER_CONF}\" ";
+                } else {
+                        $cmd .= "RESOLV_WRAPPER_HOSTS=\"$env->{RESOLV_WRAPPER_HOSTS}\" ";
+                }
                 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
-                $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{VAMPIRE_DC_SERVER}";
+                $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
+                $cmd .= " $dc_vars->{CONFIGURATION}";
                 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
                 # replicate Configuration NC
@@ -1527 +2113 @@
 }
 
+sub setup_promoted_dc($$$)
+{
+        my ($self, $path, $dc_vars) = @_;
+
+        my $env = $self->provision_promoted_dc($path, $dc_vars);
+
+        if (defined $env) {
+                if (not defined($self->check_or_start($env, "single"))) {
+                        return undef;
+                }
+
+                $self->{vars}->{promoted_dc} = $env;
+
+                # force source and replicated DC to update repsTo/repsFrom
+                # for vampired partitions
+                my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+                my $cmd = "";
+                $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+                $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+                $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
+                $cmd .= " $env->{CONFIGURATION}";
+                $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+                unless (system($cmd) == 0) {
+                        warn("Failed to exec kcc\n$cmd");
+                        return undef;
+                }
+
+                my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+                my $cmd = "";
+                $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+                $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+                $cmd .= " $samba_tool drs kcc $env->{SERVER}";
+                $cmd .= " $env->{CONFIGURATION}";
+                $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+                unless (system($cmd) == 0) {
+                        warn("Failed to exec kcc\n$cmd");
+                        return undef;
+                }
+
+                # as 'vampired' dc may add data in its local replica
+                # we need to synchronize data between DCs
+                my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+                $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+                $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+                $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
+                $cmd .= " $dc_vars->{CONFIGURATION}";
+                $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+                # replicate Configuration NC
+                my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
+                unless(system($cmd_repl) == 0) {
+                        warn("Failed to replicate\n$cmd_repl");
+                        return undef;
+                }
+                # replicate Default NC
+                $cmd_repl = "$cmd \"$base_dn\"";
+                unless(system($cmd_repl) == 0) {
+                        warn("Failed to replicate\n$cmd_repl");
+                        return undef;
+                }
+        }
+
+        return $env;
+}
+
+sub setup_subdom_dc($$$)
+{
+        my ($self, $path, $dc_vars) = @_;
+
+        my $env = $self->provision_subdom_dc($path, $dc_vars);
+
+        if (defined $env) {
+                if (not defined($self->check_or_start($env, "single"))) {
+                        return undef;
+                }
+
+                $self->{vars}->{subdom_dc} = $env;
+
+                # force replicated DC to update repsTo/repsFrom
+                # for primary domain partitions
+                my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+                my $cmd = "";
+                $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+                $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+                $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
+                $cmd .= " $env->{CONFIGURATION}";
+                $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}";
+                unless (system($cmd) == 0) {
+                        warn("Failed to exec kcc\n$cmd");
+                        return undef;
+                }
+
+                # as 'subdomain' dc may add data in its local replica
+                # we need to synchronize data between DCs
+                my $base_dn = "DC=".join(",DC=", split(/\./, $env->{REALM}));
+                my $config_dn = "CN=Configuration,DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+                $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+                $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+                $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SUBDOM_DC_SERVER}";
+                $cmd .= " $dc_vars->{CONFIGURATION}";
+                $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD} --realm=$dc_vars->{DC_REALM}";
+                # replicate Configuration NC
+                my $cmd_repl = "$cmd \"$config_dn\"";
+                unless(system($cmd_repl) == 0) {
+                        warn("Failed to replicate\n$cmd_repl");
+                        return undef;
+                }
+                # replicate Default NC
+                $cmd_repl = "$cmd \"$base_dn\"";
+                unless(system($cmd_repl) == 0) {
+                        warn("Failed to replicate\n$cmd_repl");
+                        return undef;
+                }
+        }
+
+        return $env;
+}
+
 sub setup_rodc($$$)
 {
@@ -1537 +2240 @@
         }
 
-        $self->check_or_start($env,
-                ($ENV{SMBD_MAXTIME} or 7500));
-
-        $self->wait_for_start($env);
+        if (not defined($self->check_or_start($env, "single"))) {
+            return undef;
+        }
+
+        # force source and replicated DC to update repsTo/repsFrom
+        # for vampired partitions
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+        my $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+        $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+        $cmd .= " $samba_tool drs kcc -k no $env->{DC_SERVER}";
+        $cmd .= " $env->{CONFIGURATION}";
+        $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+        unless (system($cmd) == 0) {
+            warn("Failed to exec kcc\n$cmd");
+            return undef;
+        }
+
+        my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+        my $cmd = "";
+        $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+        $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+        $cmd .= " $samba_tool drs kcc -k no $env->{SERVER}";
+        $cmd .= " $env->{CONFIGURATION}";
+        $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+        unless (system($cmd) == 0) {
+            warn("Failed to exec kcc\n$cmd");
+            return undef;
+        }
+
+        my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+        $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+        $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+        $cmd .= " $samba_tool drs replicate $env->{SERVER} $env->{DC_SERVER}";
+        $cmd .= " $dc_vars->{CONFIGURATION}";
+        $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+        # replicate Configuration NC
+        my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
+        unless(system($cmd_repl) == 0) {
+            warn("Failed to replicate\n$cmd_repl");
+            return undef;
+        }
+        # replicate Default NC
+        $cmd_repl = "$cmd \"$base_dn\"";
+        unless(system($cmd_repl) == 0) {
+            warn("Failed to replicate\n$cmd_repl");
+            return undef;
+        }
 
         $self->{vars}->{rodc} = $env;
@@ -1547 +2294 @@
 }
 
+sub setup_ad_dc($$)
+{
+        my ($self, $path, $no_nss) = @_;
+
+        # If we didn't build with ADS, pretend this env was never available
+        if (not $self->{target3}->have_ads()) {
+               return "UNKNOWN";
+        }
+
+        my $env = $self->provision_ad_dc($path);
+        unless ($env) {
+                return undef;
+        }
+
+        if (defined($no_nss) and $no_nss) {
+                $env->{NSS_WRAPPER_MODULE_SO_PATH} = undef;
+                $env->{NSS_WRAPPER_MODULE_FN_PREFIX} = undef;
+        }
+
+        if (not defined($self->check_or_start($env, "single"))) {
+            return undef;
+        }
+
+        my $upn_array = ["$env->{REALM}.upn"];
+        my $spn_array = ["$env->{REALM}.spn"];
+
+        $self->setup_namespaces($env, $upn_array, $spn_array);
+
+        $self->{vars}->{ad_dc} = $env;
+        return $env;
+}
+
+sub setup_none($$)
+{
+        my ($self, $path) = @_;
+
+        my $ret = {
+                KRB5_CONFIG => abs_path($path) . "/no_krb5.conf",
+                SAMBA_PID => -1,
+        }
+}
+
 1;

vendor/current/selftest/valgrind_run

@@ -5 +5 @@
 shift 1
 
-CMD="$ENV valgrind -q --db-attach=yes --num-callers=30 $@"
+CMD="$ENV valgrind --num-callers=30
+--trace-children=yes --log-file=valgrind.%p.log
+${VALGRIND_OPT- --time-stamp=yes --track-fds=yes --read-var-info=yes --track-origins=yes --leak-check=yes}
+$@"
+
 echo $CMD
 eval $CMD