Merge branch 'v4-0-test' of ssh://git.samba.org/data/git/samba into registry

(This used to be commit e8d96b61db1cddc2d8dca45e6e9b53d5c31ee5d4)

16 files changed, 195 insertions, 303 deletions

diff --git a/source4/setup/enableaccount b/source4/setup/enableaccount
index 849b515675..061997b804 100644..100755
--- a/source4/setup/enableaccount
+++ b/source4/setup/enableaccount
@@ -5,17 +5,19 @@
 #	Copyright Jelmer Vernooij 2008
 #	Released under the GNU GPL version 3 or later
 #
+import os, sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python"))
 
 import samba.getopt as options
 import optparse
 import pwd
-import sys
 import ldb
 
-from auth import system_session
+from samba.auth import system_session
 from samba.samdb import SamDB
 
-parser = optparse.OptionParser("setpassword [username] [options]")
+parser = optparse.OptionParser("enableaccount [username] [options]")
 sambaopts = options.SambaOptions(parser)
 parser.add_option_group(sambaopts)
 parser.add_option_group(options.VersionOptions(parser))
diff --git a/source4/setup/idmap_init.ldif b/source4/setup/idmap_init.ldif
index a397cfd0d2..43e5b65562 100644
--- a/source4/setup/idmap_init.ldif
+++ b/source4/setup/idmap_init.ldif
@@ -1,5 +1,4 @@
 dn: CN=CONFIG
 cn: CONFIG
-lowerBound: 10000
-upperBound: 20000
-
+lowerBound: 3000000
+upperBound: 4000000
diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf
new file mode 100644
index 0000000000..7dad63de73
--- /dev/null
+++ b/source4/setup/krb5.conf
@@ -0,0 +1,17 @@
+[libdefaults]
+	default_realm = ${REALM}
+	dns_lookup_realm = false
+	dns_lookup_kdc = false
+	ticket_lifetime = 24h
+	forwardable = yes
+
+[realms]
+	${REALM} = {
+		kdc = ${HOSTNAME}.${DNSDOMAIN}:88
+		admin_server = ${HOSTNAME}.${DNSDOMAIN}:749
+		default_domain = ${DNSDOMAIN}
+	}
+
+[domain_realm]
+	.${DNSDOMAIN} = ${REALM}
+	${DNSDOMAIN} = ${REALM}
diff --git a/source4/setup/named.conf b/source4/setup/named.conf
index 025788093e..4f98bbd914 100644
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@@ -3,35 +3,102 @@
 # the BIND nameserver.
 #
 
-# If you have a very recent BIND, supporting GSS-TSIG, 
-# insert this into options {}  (otherwise omit, it is not required if we don't accept updates)
-tkey-gssapi-credential "DNS/${DNSDOMAIN}";
-tkey-domain "${REALM}";
-
-# You should always include the actual zone configuration reference:
+# You should always include the actual forward zone configuration:
 zone "${DNSDOMAIN}." IN {
-        type master;
-        file "${DNSDOMAIN}.zone";
+	type master;
+	file "${DNSDOMAIN}.zone";
 	update-policy {
-		/* use ANY only for Domain controllers for now */
-		/* for normal machines A AAAA PTR is probbaly all is needed */
-		grant ${HOSTNAME}.${DNSDOMAIN}@${REALM} name ${HOSTNAME}.${DNSDOMAIN} ANY;
+		/*
+		 * A rather long description here, as the "ms-self" option does
+		 * not appear in any docs yet (it can only be found in the
+		 * source code).
+		 *
+		 * The short of it is that each host is allowed to update its
+		 * own A and AAAA records, when the update request is properly
+		 * signed by the host itself.
+		 *
+		 * The long description is (look at the
+		 * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
+		 * its definition in lib/dns/gssapictx.c for details):
+		 *
+		 * A GSS-TSIG update request will be signed by a given signer
+		 * (e.g. machine-name$@${REALM}).  The signer name is split into
+		 * the machine component (e.g. "machine-name") and the realm
+		 * component (e.g. "${REALM}").  The update is allowed if the
+		 * following conditions are met:
+		 *
+		 * 1) The machine component of the signer name matches the first
+		 * (host) component of the FQDN that is being updated.
+		 *
+		 * 2) The realm component of the signer name matches the realm
+		 * in the grant statement below (${REALM}).
+		 *
+		 * 3) The domain component of the FQDN that is being updated
+		 * matches the realm in the grant statement below.
+		 *
+		 * If the 3 conditions above are satisfied, the update succeeds.
+		 */
+		grant ${REALM} ms-self * A AAAA;
 	};
 };
 
-# Also, you need to change your init scripts to set this environment variable
-# for named: KRB5_KTNAME so that it points to the keytab generated.
-# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following
-# line to the /etc/sysconfig/named file:
-# export KRB5_KTNAME=${DNS_KEYTAB_ABS}
-#
-# Please note that most distributions have BIND configured to run under
-# a non-root user account.  For example, Fedora Core 6 (FC6) runs BIND as
-# the user "named" once the daemon relinquishes its rights.  Therefore,
-# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as.
-# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its
-# permissions altered to allow the daemon to read it.  In the FC6
-# example, execute the commands:
-# 
-# chgrp named ${DNS_KEYTAB_ABS}
-# chmod g+r ${DNS_KEYTAB_ABS}
+# The reverse zone configuration is optional.  The following example assumes a
+# subnet of 192.168.123.0/24:
+zone "123.168.192.in-addr.arpa" in {
+	type master;
+	file "123.168.192.in-addr.arpa.zone";
+	update-policy {
+		grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
+	};
+};
+# Note that the reverse zone file is not created during the provision process.
+
+# The most recent BIND version (9.5.0a5 or later) supports secure GSS-TSIG
+# updates.  If you are running an earlier version of BIND, or if you do not wish
+# to use secure GSS-TSIG updates, you may remove the update-policy sections in
+# both examples above.
+
+# If you are running a capable version of BIND and you wish to support secure
+# GSS-TSIG updates, you must make the following configuration changes:
+
+# - Insert the following lines into the options {} section of your named.conf
+# file:
+tkey-gssapi-credential "DNS/${DNSDOMAIN}";
+tkey-domain "${REALM}";
+
+# - Modify BIND init scripts to pass the location of the generated keytab file.
+# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
+# for this purpose:
+KEYTAB_FILE="${DNS_KEYTAB_ABS}"
+# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
+# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon.  If
+# your distribution does not provide a variable like KEYTAB_FILE to pass a
+# keytab file to the BIND daemon, a workaround is to place the following line in
+# BIND's sysconfig file or in the init script for BIND:
+export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
+
+# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file.  Note
+# that most distributions have BIND configured to run under a non-root user
+# account.  For example, Fedora 9 runs BIND as the user "named" once the daemon
+# relinquishes its rights.  Therefore, the file ${DNS_KEYTAB} must be readable
+# by the user that BIND run as.  If BIND is running as a non-root user, the
+# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
+# read it.  Under Fedora 9, execute the following commands:
+chgrp named ${DNS_KEYTAB_ABS}
+chmod g+r ${DNS_KEYTAB_ABS}
+
+# - Ensure the BIND zone file(s) that will be dynamically updated are in a
+# directory where the BIND daemon can write.  When BIND performs dynamic
+# updates, it not only needs to update the zone file itself but it must also
+# create a journal (.jnl) file to track the dynamic updates as they occur.
+# Under Fedora 9, the /var/named directory can not be written to by the "named"
+# user.  However, the directory /var/named/dynamic directory does provide write
+# access.  Therefore the zone files were placed under the /var/named/dynamic
+# directory.  The file directives in both example zone statements at the
+# beginning of this file were changed by prepending the directory "dynamic/".
+
+# - If SELinux is enabled, ensure that all files have the appropriate SELinux
+# file contexts.  The ${DNS_KEYTAB} file must be accessible by the BIND daemon
+# and should have a SELinux type of named_conf_t.  This can be set with the
+# following command:
+chcon -t named_conf_t ${DNS_KEYTAB_ABS}
diff --git a/source4/setup/newuser b/source4/setup/newuser
index 04a5440ee1..991afa36d8 100755
--- a/source4/setup/newuser
+++ b/source4/setup/newuser
@@ -6,12 +6,16 @@
 #	Released under the GNU GPL version 3 or later
 #
 
+import sys
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
 import samba.getopt as options
 import optparse
 import pwd
-import sys
 from getpass import getpass
-from auth import system_session
+from samba.auth import system_session
 from samba.samdb import SamDB
 
 parser = optparse.OptionParser("newuser [options] <username> [<password>]")
diff --git a/source4/setup/provision b/source4/setup/provision
index 259bd814a4..c1d6cd157a 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -26,15 +26,20 @@ import getopt
 import optparse
 import os, sys
 
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
 import samba
-import param
 
-from auth import system_session
+from samba.auth import system_session
 import samba.getopt as options
+from samba import param
 from samba.provision import (provision, 
                              FILL_FULL, FILL_NT4SYNC,
                              FILL_DRS)
 
+# how do we make this case insensitive??
+
 parser = optparse.OptionParser("provision [options]")
 sambaopts = options.SambaOptions(parser)
 parser.add_option_group(sambaopts)
diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend
index 4f222c467a..54dc5839bf 100755
--- a/source4/setup/provision-backend
+++ b/source4/setup/provision-backend
@@ -22,14 +22,17 @@
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 #
 
+import os, sys
+
+sys.path.insert(0, "bin/python")
+
 import getopt
 import optparse
-import os, sys
 
 import samba
-import param
+from samba import param
 
-from auth import system_session
+from samba.auth import system_session
 import samba.getopt as options
 from samba.provision import (provision_backend)
 
diff --git a/source4/setup/provision-backend.js b/source4/setup/provision-backend.js
deleted file mode 100644
index 9482d8c435..0000000000
--- a/source4/setup/provision-backend.js
+++ /dev/null
@@ -1,188 +0,0 @@
-#!/bin/sh
-exec smbscript "$0" ${1+"$@"}
-/*
-	provision a Samba4 server
-	Copyright Andrew Tridgell 2005
-	Released under the GNU GPL version 3 or later
-*/
-
-options = GetOptions(ARGV,
-		"POPT_AUTOHELP",
-		"POPT_COMMON_SAMBA",
-		"POPT_COMMON_VERSION",
-		"POPT_COMMON_CREDENTIALS",
-		'realm=s',
-		'host-name=s',
-		'ldap-manager-pass=s',
-		'root=s',
-		'quiet',
-		'ldap-backend-type=s',
-                'ldap-backend-port=i');
-
-if (options == undefined) {
-   println("Failed to parse options");
-   return -1;
-}
-
-sys = sys_init();
-
-libinclude("base.js");
-libinclude("provision.js");
-
-/*
-  print a message if quiet is not set
-*/
-function message()
-{
-	if (options["quiet"] == undefined) {
-		print(vsprintf(arguments));
-	}
-}
-
-/*
- show some help
-*/
-function ShowHelp()
-{
-	print("
-Samba4 provisioning
-
-provision [options]
- --realm	REALM		set realm
- --host-name	HOSTNAME	set hostname
- --ldap-manager-pass	PASSWORD	choose LDAP Manager password (otherwise random)
- --root         USERNAME	choose 'root' unix username
- --quiet			Be quiet
- --ldap-backend-type LDAPSERVER Select either \"openldap\" or \"fedora-ds\" as a target to configure
- --ldap-backend-port PORT       Select the TCP port (if any) that the LDAP backend should listen on (Fedora DS only)
-You must provide at least a realm and ldap-backend-type
-
-");
-	exit(1);
-}
-
-if (options['host-name'] == undefined) {
-	options['host-name'] = hostname();
-}
-
-/*
-   main program
-*/
-if (options["realm"] == undefined ||
-    options["ldap-backend-type"] == undefined ||
-    options["host-name"] == undefined) {
-	ShowHelp();
-}
-
-/* cope with an initially blank smb.conf */
-var lp = loadparm_init();
-lp.set("realm", options.realm);
-lp.reload();
-
-var subobj = provision_guess();
-for (r in options) {
-	var key = strupper(join("", split("-", r)));
-	subobj[key] = options[r];
-}
-
-
-
-var paths = provision_default_paths(subobj);
-provision_fix_subobj(subobj, paths);
-message("Provisioning LDAP backend for %s in realm %s into %s\n", subobj.HOSTNAME, subobj.REALM, subobj.LDAPDIR);
-message("Using %s password: %s\n", subobj.LDAPMANAGERDN, subobj.LDAPMANAGERPASS);
-var tmp_schema_ldb = subobj.LDAPDIR + "/schema-tmp.ldb";
-sys.mkdir(subobj.LDAPDIR, 0700);
-
-provision_schema(subobj, message, tmp_schema_ldb, paths);
-
-var mapping;
-var backend_schema;
-var slapd_command;
-if (options["ldap-backend-type"] == "fedora-ds") {
-	mapping = "schema-map-fedora-ds-1.0";
-	backend_schema = "99_ad.ldif";
-	if (options["ldap-backend-port"] != undefined) {
-		message("Will listen on TCP port " + options["ldap-backend-port"] + "\n");
-		subobj.SERVERPORT="ServerPort = " + options["ldap-backend-port"];
-	} else {
-		message("Will listen on LDAPI only\n");
-		subobj.SERVERPORT="";
-	}
-	setup_file("fedorads.inf", message, subobj.LDAPDIR + "/fedorads.inf", subobj);
-	setup_file("fedorads-partitions.ldif", message, subobj.LDAPDIR + "/fedorads-partitions.ldif", subobj);
-
-	slapd_command = "(see documentation)";
-} else if (options["ldap-backend-type"] == "openldap") {
-	mapping = "schema-map-openldap-2.3";
-	backend_schema = "backend-schema.schema";
-	setup_file("slapd.conf", message, subobj.LDAPDIR + "/slapd.conf", subobj);
-	setup_file("modules.conf", message, subobj.LDAPDIR + "/modules.conf", subobj);
-	sys.mkdir(subobj.LDAPDIR + "/db", 0700);
-	subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/user";
-	sys.mkdir(subobj.LDAPDBDIR, 0700);
-	sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700);
-	sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700);
-	setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj);
-	subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/config";
-	sys.mkdir(subobj.LDAPDBDIR, 0700);
-	sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700);
-	sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700);
-	setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj);
-	subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/schema";
-	sys.mkdir(subobj.LDAPDBDIR, 0700);
-	sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700);
-	sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700);
-	setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj);
-	if (options["ldap-backend-port"] != undefined) {
-		message("\nStart slapd with: \n");
-		slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h \"ldap://0.0.0.0:" + options["ldap-backend-port"] + " " + subobj.LDAPI_URI "\"";
-	} else {
-		slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h " + subobj.LDAPI_URI;
-	}
-
-	var ldb = ldb_init();
-	ldb.filename = tmp_schema_ldb;
-
-	var connect_ok = ldb.connect(ldb.filename);
-	assert(connect_ok);
-	var attrs = new Array("linkID", "lDAPDisplayName");
-	var res = ldb.search("(&(&(linkID=*)(!(linkID:1.2.840.113556.1.4.803:=1)))(objectclass=attributeSchema))", subobj.SCHEMADN, ldb.SCOPE_SUBTREE, attrs);
-	assert(res.error == 0);
-	var memberof_config = "";
-	var refint_attributes = "";
-	for (i=0; i < res.msgs.length; i++) {
-		var target = searchone(ldb, subobj.SCHEMADN, "(&(objectclass=attributeSchema)(linkID=" + (res.msgs[i].linkID + 1) + "))", "lDAPDisplayName");
-		if (target != undefined) {
-			refint_attributes = refint_attributes + " " + target + " " + res.msgs[i].lDAPDisplayName;
-			memberof_config = memberof_config + "overlay memberof
-memberof-dangling error
-memberof-refint TRUE
-memberof-group-oc top
-memberof-member-ad " + res.msgs[i].lDAPDisplayName + "
-memberof-memberof-ad " + target + "
-memberof-dangling-error 32
-
-";
-		}
-	}
-
-	memberof_config = memberof_config + "
-overlay refint
-refint_attributes" + refint_attributes + "
-";
-	
-	ok = sys.file_save(subobj.LDAPDIR + "/memberof.conf", memberof_config);
-	if (!ok) {
-		message("failed to create file: " + f + "\n");
-		assert(ok);
-	}
-
-}
-var schema_command = "ad2oLschema --option=convert:target=" + options["ldap-backend-type"] + " -I " + lp.get("setup directory") + "/" + mapping + " -H tdb://" + tmp_schema_ldb + " -O " + subobj.LDAPDIR + "/" + backend_schema;
-
-message("\nCreate a suitable schema file with:\n%s\n", schema_command);
-message("\nStart slapd with: \n%s\n", slapd_command);
-
-message("All OK\n");
-return 0;
diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
index f5e1bb5add..63332e937b 100644
--- a/source4/setup/provision_basedn_modify.ldif
+++ b/source4/setup/provision_basedn_modify.ldif
@@ -75,6 +75,6 @@ subRefs: ${CONFIGDN}
 subRefs: ${SCHEMADN}
 -
 replace: gPLink
-gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};2]
+gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};0]
 -
 ${DOMAINGUID_MOD}
diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif
index 71c7fc2f5b..abc5860cf7 100644
--- a/source4/setup/secrets_dc.ldif
+++ b/source4/setup/secrets_dc.ldif
@@ -33,6 +33,7 @@ objectClass: secret
 objectClass: kerberosSecret
 realm: ${REALM}
 servicePrincipalName: DNS/${DNSDOMAIN}
+msDS-KeyVersionNumber: 1
 privateKeytab: ${DNS_KEYTAB}
 secret:: ${DNSPASS_B64}
 
diff --git a/source4/setup/setpassword b/source4/setup/setpassword
index 977a6a5ee8..65770e1f4d 100644
--- a/source4/setup/setpassword
+++ b/source4/setup/setpassword
@@ -6,12 +6,17 @@
 #	Released under the GNU GPL version 3 or later
 #
 
+import os, sys
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
 import samba.getopt as options
 import optparse
 import pwd
 import sys
 from getpass import getpass
-from auth import system_session
+from samba.auth import system_session
 from samba.samdb import SamDB
 
 parser = optparse.OptionParser("setpassword [username] [options]")
diff --git a/source4/setup/tests/blackbox_newuser.sh b/source4/setup/tests/blackbox_newuser.sh
new file mode 100755
index 0000000000..fed5f7d263
--- /dev/null
+++ b/source4/setup/tests/blackbox_newuser.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: blackbox_newuser.sh PREFIX CONFIGURATION
+EOF
+exit 1;
+fi
+
+PREFIX="$1"
+CONFIGURATION="$2"
+shift 2
+
+. `dirname $0`/../../../testprogs/blackbox/subunit.sh
+
+
+testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
+
+testit "newuser" $PYTHON ./setup/newuser --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testpass
+
+exit $failed
diff --git a/source4/setup/tests/blackbox_provision.sh b/source4/setup/tests/blackbox_provision.sh
index 19f37cef2d..2afa9dc952 100755
--- a/source4/setup/tests/blackbox_provision.sh
+++ b/source4/setup/tests/blackbox_provision.sh
@@ -11,21 +11,7 @@ PREFIX="$1"
 CONFIGURATION="$2"
 shift 2
 
-testit() {
-	name="$1"
-	shift
-	cmdline="$*"
-	echo "test: $name"
-	$cmdline
-	status=$?
-	if [ x$status = x0 ]; then
-		echo "success: $name"
-	else
-		echo "failure: $name"
-		failed=`expr $failed + 1`
-	fi
-	return $status
-}
+. `dirname $0`/../../../testprogs/blackbox/subunit.sh
 
 testit "simple-default" $PYTHON ./setup/provision $CONFIGURATION --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-default
 testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
@@ -34,9 +20,6 @@ testit "simple-standalone" $PYTHON ./setup/provision $CONFIGURATION --server-rol
 testit "blank-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/blank-dc --blank
 testit "partitions-only-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/partitions-only-dc --partitions-only
 
-testit "newuser" $PYTHON ./setup/newuser --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testpass
-testit "setpassword" $PYTHON ./setup/setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testpass
-
 reprovision() {
 	$PYTHON ./setup/provision $CONFIGURATION --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/reprovision"
 	$PYTHON ./setup/provision $CONFIGURATION --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/reprovision"
diff --git a/source4/setup/tests/blackbox_setpassword.sh b/source4/setup/tests/blackbox_setpassword.sh
new file mode 100755
index 0000000000..725466150c
--- /dev/null
+++ b/source4/setup/tests/blackbox_setpassword.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: blackbox_setpassword.sh PREFIX CONFIGURATION
+EOF
+exit 1;
+fi
+
+PREFIX="$1"
+CONFIGURATION="$2"
+shift 2
+
+. `dirname $0`/../../../testprogs/blackbox/subunit.sh
+
+testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
+
+testit "newuser" $PYTHON ./setup/newuser --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testpass
+
+testit "setpassword" $PYTHON ./setup/setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testpass
+
+exit $failed
diff --git a/source4/setup/upgrade.py b/source4/setup/upgrade
index 3bcc57ab64..03c6747d4e 100755
--- a/source4/setup/upgrade.py
+++ b/source4/setup/upgrade
@@ -7,10 +7,14 @@
 import getopt
 import optparse
 import os, sys
-import param
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
 import samba
 import samba.getopt as options
-from auth import system_session
+from samba import param
+from samba.auth import system_session
 
 parser = optparse.OptionParser("upgrade [options] <libdir> <smbconf>")
 sambaopts = options.SambaOptions(parser)
diff --git a/source4/setup/vampire.py b/source4/setup/vampire.py
deleted file mode 100755
index 728c53146a..0000000000
--- a/source4/setup/vampire.py
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/python
-
-# Unix SMB/CIFS implementation.
-# Vampire a remote domain
-# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
-#   
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#   
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-# GNU General Public License for more details.
-#   
-# You should have received a copy of the GNU General Public License
-# along with this program.  If not, see <http://www.gnu.org/licenses/>.
-#
-
-from net import libnet
-import optparse
-import samba.getopt as options
-import param
-from auth import system_session
-import sys
-
-parser = optparse.OptionParser("vampire [options] <domain>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-
-opts, args = parser.parse_args()
-
-if len(args) < 1:
-    parser.print_usage()
-    sys.exit(1)
-
-def vampire(domain, session_info, credentials, lp):
-    ctx = libnet(lp_ctx=lp)
-    ctx.cred = credentials
-    machine_creds = Credentials();
-    machine_creds.set_domain(domain);
-    if not machine_creds.set_machine_account():
-        raise Exception("Failed to access domain join information!")
-    ctx.samsync_ldb(vampire_ctx, machine_creds=machine_creds, 
-                    session_info=session_info)
-
-lp = sambaopts.get_loadparm()
-vampire(args[0], session_info=system_session(), 
-        credentials=credopts.get_credentials(), lp=lp)