summaryrefslogtreecommitdiff
path: root/source4/setup
diff options
context:
space:
mode:
Diffstat (limited to 'source4/setup')
-rwxr-xr-x[-rw-r--r--]source4/setup/enableaccount8
-rw-r--r--source4/setup/idmap_init.ldif5
-rw-r--r--source4/setup/krb5.conf17
-rw-r--r--source4/setup/named.conf121
-rwxr-xr-xsource4/setup/newuser8
-rwxr-xr-xsource4/setup/provision9
-rwxr-xr-xsource4/setup/provision-backend9
-rw-r--r--source4/setup/provision-backend.js188
-rw-r--r--source4/setup/provision_basedn_modify.ldif2
-rw-r--r--source4/setup/secrets_dc.ldif1
-rw-r--r--source4/setup/setpassword7
-rwxr-xr-xsource4/setup/tests/blackbox_newuser.sh21
-rwxr-xr-xsource4/setup/tests/blackbox_provision.sh19
-rwxr-xr-xsource4/setup/tests/blackbox_setpassword.sh22
-rwxr-xr-xsource4/setup/upgrade (renamed from source4/setup/upgrade.py)8
-rwxr-xr-xsource4/setup/vampire.py53
16 files changed, 195 insertions, 303 deletions
diff --git a/source4/setup/enableaccount b/source4/setup/enableaccount
index 849b515675..061997b804 100644..100755
--- a/source4/setup/enableaccount
+++ b/source4/setup/enableaccount
@@ -5,17 +5,19 @@
# Copyright Jelmer Vernooij 2008
# Released under the GNU GPL version 3 or later
#
+import os, sys
+
+sys.path.insert(0, os.path.join(os.path.dirname(sys.argv[0]), "../bin/python"))
import samba.getopt as options
import optparse
import pwd
-import sys
import ldb
-from auth import system_session
+from samba.auth import system_session
from samba.samdb import SamDB
-parser = optparse.OptionParser("setpassword [username] [options]")
+parser = optparse.OptionParser("enableaccount [username] [options]")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
parser.add_option_group(options.VersionOptions(parser))
diff --git a/source4/setup/idmap_init.ldif b/source4/setup/idmap_init.ldif
index a397cfd0d2..43e5b65562 100644
--- a/source4/setup/idmap_init.ldif
+++ b/source4/setup/idmap_init.ldif
@@ -1,5 +1,4 @@
dn: CN=CONFIG
cn: CONFIG
-lowerBound: 10000
-upperBound: 20000
-
+lowerBound: 3000000
+upperBound: 4000000
diff --git a/source4/setup/krb5.conf b/source4/setup/krb5.conf
new file mode 100644
index 0000000000..7dad63de73
--- /dev/null
+++ b/source4/setup/krb5.conf
@@ -0,0 +1,17 @@
+[libdefaults]
+ default_realm = ${REALM}
+ dns_lookup_realm = false
+ dns_lookup_kdc = false
+ ticket_lifetime = 24h
+ forwardable = yes
+
+[realms]
+ ${REALM} = {
+ kdc = ${HOSTNAME}.${DNSDOMAIN}:88
+ admin_server = ${HOSTNAME}.${DNSDOMAIN}:749
+ default_domain = ${DNSDOMAIN}
+ }
+
+[domain_realm]
+ .${DNSDOMAIN} = ${REALM}
+ ${DNSDOMAIN} = ${REALM}
diff --git a/source4/setup/named.conf b/source4/setup/named.conf
index 025788093e..4f98bbd914 100644
--- a/source4/setup/named.conf
+++ b/source4/setup/named.conf
@@ -3,35 +3,102 @@
# the BIND nameserver.
#
-# If you have a very recent BIND, supporting GSS-TSIG,
-# insert this into options {} (otherwise omit, it is not required if we don't accept updates)
-tkey-gssapi-credential "DNS/${DNSDOMAIN}";
-tkey-domain "${REALM}";
-
-# You should always include the actual zone configuration reference:
+# You should always include the actual forward zone configuration:
zone "${DNSDOMAIN}." IN {
- type master;
- file "${DNSDOMAIN}.zone";
+ type master;
+ file "${DNSDOMAIN}.zone";
update-policy {
- /* use ANY only for Domain controllers for now */
- /* for normal machines A AAAA PTR is probbaly all is needed */
- grant ${HOSTNAME}.${DNSDOMAIN}@${REALM} name ${HOSTNAME}.${DNSDOMAIN} ANY;
+ /*
+ * A rather long description here, as the "ms-self" option does
+ * not appear in any docs yet (it can only be found in the
+ * source code).
+ *
+ * The short of it is that each host is allowed to update its
+ * own A and AAAA records, when the update request is properly
+ * signed by the host itself.
+ *
+ * The long description is (look at the
+ * dst_gssapi_identitymatchesrealmms() call in lib/dns/ssu.c and
+ * its definition in lib/dns/gssapictx.c for details):
+ *
+ * A GSS-TSIG update request will be signed by a given signer
+ * (e.g. machine-name$@${REALM}). The signer name is split into
+ * the machine component (e.g. "machine-name") and the realm
+ * component (e.g. "${REALM}"). The update is allowed if the
+ * following conditions are met:
+ *
+ * 1) The machine component of the signer name matches the first
+ * (host) component of the FQDN that is being updated.
+ *
+ * 2) The realm component of the signer name matches the realm
+ * in the grant statement below (${REALM}).
+ *
+ * 3) The domain component of the FQDN that is being updated
+ * matches the realm in the grant statement below.
+ *
+ * If the 3 conditions above are satisfied, the update succeeds.
+ */
+ grant ${REALM} ms-self * A AAAA;
};
};
-# Also, you need to change your init scripts to set this environment variable
-# for named: KRB5_KTNAME so that it points to the keytab generated.
-# In RedHat derived systems such RHEL/CentOS/Fedora you can add the following
-# line to the /etc/sysconfig/named file:
-# export KRB5_KTNAME=${DNS_KEYTAB_ABS}
-#
-# Please note that most distributions have BIND configured to run under
-# a non-root user account. For example, Fedora Core 6 (FC6) runs BIND as
-# the user "named" once the daemon relinquishes its rights. Therefore,
-# the file "${DNS_KEYTAB}" must be readable by the user that BIND run as.
-# If BIND is running as a non-root user, the "${DNS_KEYTAB}" file must have its
-# permissions altered to allow the daemon to read it. In the FC6
-# example, execute the commands:
-#
-# chgrp named ${DNS_KEYTAB_ABS}
-# chmod g+r ${DNS_KEYTAB_ABS}
+# The reverse zone configuration is optional. The following example assumes a
+# subnet of 192.168.123.0/24:
+zone "123.168.192.in-addr.arpa" in {
+ type master;
+ file "123.168.192.in-addr.arpa.zone";
+ update-policy {
+ grant ${REALM_WC} wildcard *.123.168.192.in-addr.arpa. PTR;
+ };
+};
+# Note that the reverse zone file is not created during the provision process.
+
+# The most recent BIND version (9.5.0a5 or later) supports secure GSS-TSIG
+# updates. If you are running an earlier version of BIND, or if you do not wish
+# to use secure GSS-TSIG updates, you may remove the update-policy sections in
+# both examples above.
+
+# If you are running a capable version of BIND and you wish to support secure
+# GSS-TSIG updates, you must make the following configuration changes:
+
+# - Insert the following lines into the options {} section of your named.conf
+# file:
+tkey-gssapi-credential "DNS/${DNSDOMAIN}";
+tkey-domain "${REALM}";
+
+# - Modify BIND init scripts to pass the location of the generated keytab file.
+# Fedora 8 & later provide a variable named KEYTAB_FILE in /etc/sysconfig/named
+# for this purpose:
+KEYTAB_FILE="${DNS_KEYTAB_ABS}"
+# Note that the Fedora scripts translate KEYTAB_FILE behind the scenes into a
+# variable named KRB5_KTNAME, which is ultimately passed to the BIND daemon. If
+# your distribution does not provide a variable like KEYTAB_FILE to pass a
+# keytab file to the BIND daemon, a workaround is to place the following line in
+# BIND's sysconfig file or in the init script for BIND:
+export KRB5_KTNAME="${DNS_KEYTAB_ABS}"
+
+# - Set appropriate ownership and permissions on the ${DNS_KEYTAB} file. Note
+# that most distributions have BIND configured to run under a non-root user
+# account. For example, Fedora 9 runs BIND as the user "named" once the daemon
+# relinquishes its rights. Therefore, the file ${DNS_KEYTAB} must be readable
+# by the user that BIND run as. If BIND is running as a non-root user, the
+# "${DNS_KEYTAB}" file must have its permissions altered to allow the daemon to
+# read it. Under Fedora 9, execute the following commands:
+chgrp named ${DNS_KEYTAB_ABS}
+chmod g+r ${DNS_KEYTAB_ABS}
+
+# - Ensure the BIND zone file(s) that will be dynamically updated are in a
+# directory where the BIND daemon can write. When BIND performs dynamic
+# updates, it not only needs to update the zone file itself but it must also
+# create a journal (.jnl) file to track the dynamic updates as they occur.
+# Under Fedora 9, the /var/named directory can not be written to by the "named"
+# user. However, the directory /var/named/dynamic directory does provide write
+# access. Therefore the zone files were placed under the /var/named/dynamic
+# directory. The file directives in both example zone statements at the
+# beginning of this file were changed by prepending the directory "dynamic/".
+
+# - If SELinux is enabled, ensure that all files have the appropriate SELinux
+# file contexts. The ${DNS_KEYTAB} file must be accessible by the BIND daemon
+# and should have a SELinux type of named_conf_t. This can be set with the
+# following command:
+chcon -t named_conf_t ${DNS_KEYTAB_ABS}
diff --git a/source4/setup/newuser b/source4/setup/newuser
index 04a5440ee1..991afa36d8 100755
--- a/source4/setup/newuser
+++ b/source4/setup/newuser
@@ -6,12 +6,16 @@
# Released under the GNU GPL version 3 or later
#
+import sys
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
import samba.getopt as options
import optparse
import pwd
-import sys
from getpass import getpass
-from auth import system_session
+from samba.auth import system_session
from samba.samdb import SamDB
parser = optparse.OptionParser("newuser [options] <username> [<password>]")
diff --git a/source4/setup/provision b/source4/setup/provision
index 259bd814a4..c1d6cd157a 100755
--- a/source4/setup/provision
+++ b/source4/setup/provision
@@ -26,15 +26,20 @@ import getopt
import optparse
import os, sys
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
import samba
-import param
-from auth import system_session
+from samba.auth import system_session
import samba.getopt as options
+from samba import param
from samba.provision import (provision,
FILL_FULL, FILL_NT4SYNC,
FILL_DRS)
+# how do we make this case insensitive??
+
parser = optparse.OptionParser("provision [options]")
sambaopts = options.SambaOptions(parser)
parser.add_option_group(sambaopts)
diff --git a/source4/setup/provision-backend b/source4/setup/provision-backend
index 4f222c467a..54dc5839bf 100755
--- a/source4/setup/provision-backend
+++ b/source4/setup/provision-backend
@@ -22,14 +22,17 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+import os, sys
+
+sys.path.insert(0, "bin/python")
+
import getopt
import optparse
-import os, sys
import samba
-import param
+from samba import param
-from auth import system_session
+from samba.auth import system_session
import samba.getopt as options
from samba.provision import (provision_backend)
diff --git a/source4/setup/provision-backend.js b/source4/setup/provision-backend.js
deleted file mode 100644
index 9482d8c435..0000000000
--- a/source4/setup/provision-backend.js
+++ /dev/null
@@ -1,188 +0,0 @@
-#!/bin/sh
-exec smbscript "$0" ${1+"$@"}
-/*
- provision a Samba4 server
- Copyright Andrew Tridgell 2005
- Released under the GNU GPL version 3 or later
-*/
-
-options = GetOptions(ARGV,
- "POPT_AUTOHELP",
- "POPT_COMMON_SAMBA",
- "POPT_COMMON_VERSION",
- "POPT_COMMON_CREDENTIALS",
- 'realm=s',
- 'host-name=s',
- 'ldap-manager-pass=s',
- 'root=s',
- 'quiet',
- 'ldap-backend-type=s',
- 'ldap-backend-port=i');
-
-if (options == undefined) {
- println("Failed to parse options");
- return -1;
-}
-
-sys = sys_init();
-
-libinclude("base.js");
-libinclude("provision.js");
-
-/*
- print a message if quiet is not set
-*/
-function message()
-{
- if (options["quiet"] == undefined) {
- print(vsprintf(arguments));
- }
-}
-
-/*
- show some help
-*/
-function ShowHelp()
-{
- print("
-Samba4 provisioning
-
-provision [options]
- --realm REALM set realm
- --host-name HOSTNAME set hostname
- --ldap-manager-pass PASSWORD choose LDAP Manager password (otherwise random)
- --root USERNAME choose 'root' unix username
- --quiet Be quiet
- --ldap-backend-type LDAPSERVER Select either \"openldap\" or \"fedora-ds\" as a target to configure
- --ldap-backend-port PORT Select the TCP port (if any) that the LDAP backend should listen on (Fedora DS only)
-You must provide at least a realm and ldap-backend-type
-
-");
- exit(1);
-}
-
-if (options['host-name'] == undefined) {
- options['host-name'] = hostname();
-}
-
-/*
- main program
-*/
-if (options["realm"] == undefined ||
- options["ldap-backend-type"] == undefined ||
- options["host-name"] == undefined) {
- ShowHelp();
-}
-
-/* cope with an initially blank smb.conf */
-var lp = loadparm_init();
-lp.set("realm", options.realm);
-lp.reload();
-
-var subobj = provision_guess();
-for (r in options) {
- var key = strupper(join("", split("-", r)));
- subobj[key] = options[r];
-}
-
-
-
-var paths = provision_default_paths(subobj);
-provision_fix_subobj(subobj, paths);
-message("Provisioning LDAP backend for %s in realm %s into %s\n", subobj.HOSTNAME, subobj.REALM, subobj.LDAPDIR);
-message("Using %s password: %s\n", subobj.LDAPMANAGERDN, subobj.LDAPMANAGERPASS);
-var tmp_schema_ldb = subobj.LDAPDIR + "/schema-tmp.ldb";
-sys.mkdir(subobj.LDAPDIR, 0700);
-
-provision_schema(subobj, message, tmp_schema_ldb, paths);
-
-var mapping;
-var backend_schema;
-var slapd_command;
-if (options["ldap-backend-type"] == "fedora-ds") {
- mapping = "schema-map-fedora-ds-1.0";
- backend_schema = "99_ad.ldif";
- if (options["ldap-backend-port"] != undefined) {
- message("Will listen on TCP port " + options["ldap-backend-port"] + "\n");
- subobj.SERVERPORT="ServerPort = " + options["ldap-backend-port"];
- } else {
- message("Will listen on LDAPI only\n");
- subobj.SERVERPORT="";
- }
- setup_file("fedorads.inf", message, subobj.LDAPDIR + "/fedorads.inf", subobj);
- setup_file("fedorads-partitions.ldif", message, subobj.LDAPDIR + "/fedorads-partitions.ldif", subobj);
-
- slapd_command = "(see documentation)";
-} else if (options["ldap-backend-type"] == "openldap") {
- mapping = "schema-map-openldap-2.3";
- backend_schema = "backend-schema.schema";
- setup_file("slapd.conf", message, subobj.LDAPDIR + "/slapd.conf", subobj);
- setup_file("modules.conf", message, subobj.LDAPDIR + "/modules.conf", subobj);
- sys.mkdir(subobj.LDAPDIR + "/db", 0700);
- subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/user";
- sys.mkdir(subobj.LDAPDBDIR, 0700);
- sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700);
- sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700);
- setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj);
- subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/config";
- sys.mkdir(subobj.LDAPDBDIR, 0700);
- sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700);
- sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700);
- setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj);
- subobj.LDAPDBDIR = subobj.LDAPDIR + "/db/schema";
- sys.mkdir(subobj.LDAPDBDIR, 0700);
- sys.mkdir(subobj.LDAPDBDIR + "/tmp", 0700);
- sys.mkdir(subobj.LDAPDBDIR + "/bdb-logs", 0700);
- setup_file("DB_CONFIG", message, subobj.LDAPDBDIR + "/DB_CONFIG", subobj);
- if (options["ldap-backend-port"] != undefined) {
- message("\nStart slapd with: \n");
- slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h \"ldap://0.0.0.0:" + options["ldap-backend-port"] + " " + subobj.LDAPI_URI "\"";
- } else {
- slapd_command = "slapd -f " + subobj.LDAPDIR + "/slapd.conf -h " + subobj.LDAPI_URI;
- }
-
- var ldb = ldb_init();
- ldb.filename = tmp_schema_ldb;
-
- var connect_ok = ldb.connect(ldb.filename);
- assert(connect_ok);
- var attrs = new Array("linkID", "lDAPDisplayName");
- var res = ldb.search("(&(&(linkID=*)(!(linkID:1.2.840.113556.1.4.803:=1)))(objectclass=attributeSchema))", subobj.SCHEMADN, ldb.SCOPE_SUBTREE, attrs);
- assert(res.error == 0);
- var memberof_config = "";
- var refint_attributes = "";
- for (i=0; i < res.msgs.length; i++) {
- var target = searchone(ldb, subobj.SCHEMADN, "(&(objectclass=attributeSchema)(linkID=" + (res.msgs[i].linkID + 1) + "))", "lDAPDisplayName");
- if (target != undefined) {
- refint_attributes = refint_attributes + " " + target + " " + res.msgs[i].lDAPDisplayName;
- memberof_config = memberof_config + "overlay memberof
-memberof-dangling error
-memberof-refint TRUE
-memberof-group-oc top
-memberof-member-ad " + res.msgs[i].lDAPDisplayName + "
-memberof-memberof-ad " + target + "
-memberof-dangling-error 32
-
-";
- }
- }
-
- memberof_config = memberof_config + "
-overlay refint
-refint_attributes" + refint_attributes + "
-";
-
- ok = sys.file_save(subobj.LDAPDIR + "/memberof.conf", memberof_config);
- if (!ok) {
- message("failed to create file: " + f + "\n");
- assert(ok);
- }
-
-}
-var schema_command = "ad2oLschema --option=convert:target=" + options["ldap-backend-type"] + " -I " + lp.get("setup directory") + "/" + mapping + " -H tdb://" + tmp_schema_ldb + " -O " + subobj.LDAPDIR + "/" + backend_schema;
-
-message("\nCreate a suitable schema file with:\n%s\n", schema_command);
-message("\nStart slapd with: \n%s\n", slapd_command);
-
-message("All OK\n");
-return 0;
diff --git a/source4/setup/provision_basedn_modify.ldif b/source4/setup/provision_basedn_modify.ldif
index f5e1bb5add..63332e937b 100644
--- a/source4/setup/provision_basedn_modify.ldif
+++ b/source4/setup/provision_basedn_modify.ldif
@@ -75,6 +75,6 @@ subRefs: ${CONFIGDN}
subRefs: ${SCHEMADN}
-
replace: gPLink
-gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};2]
+gPLink: [LDAP://CN={${POLICYGUID}},CN=Policies,CN=System,${DOMAINDN};0]
-
${DOMAINGUID_MOD}
diff --git a/source4/setup/secrets_dc.ldif b/source4/setup/secrets_dc.ldif
index 71c7fc2f5b..abc5860cf7 100644
--- a/source4/setup/secrets_dc.ldif
+++ b/source4/setup/secrets_dc.ldif
@@ -33,6 +33,7 @@ objectClass: secret
objectClass: kerberosSecret
realm: ${REALM}
servicePrincipalName: DNS/${DNSDOMAIN}
+msDS-KeyVersionNumber: 1
privateKeytab: ${DNS_KEYTAB}
secret:: ${DNSPASS_B64}
diff --git a/source4/setup/setpassword b/source4/setup/setpassword
index 977a6a5ee8..65770e1f4d 100644
--- a/source4/setup/setpassword
+++ b/source4/setup/setpassword
@@ -6,12 +6,17 @@
# Released under the GNU GPL version 3 or later
#
+import os, sys
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
import samba.getopt as options
import optparse
import pwd
import sys
from getpass import getpass
-from auth import system_session
+from samba.auth import system_session
from samba.samdb import SamDB
parser = optparse.OptionParser("setpassword [username] [options]")
diff --git a/source4/setup/tests/blackbox_newuser.sh b/source4/setup/tests/blackbox_newuser.sh
new file mode 100755
index 0000000000..fed5f7d263
--- /dev/null
+++ b/source4/setup/tests/blackbox_newuser.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: blackbox_newuser.sh PREFIX CONFIGURATION
+EOF
+exit 1;
+fi
+
+PREFIX="$1"
+CONFIGURATION="$2"
+shift 2
+
+. `dirname $0`/../../../testprogs/blackbox/subunit.sh
+
+
+testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
+
+testit "newuser" $PYTHON ./setup/newuser --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testpass
+
+exit $failed
diff --git a/source4/setup/tests/blackbox_provision.sh b/source4/setup/tests/blackbox_provision.sh
index 19f37cef2d..2afa9dc952 100755
--- a/source4/setup/tests/blackbox_provision.sh
+++ b/source4/setup/tests/blackbox_provision.sh
@@ -11,21 +11,7 @@ PREFIX="$1"
CONFIGURATION="$2"
shift 2
-testit() {
- name="$1"
- shift
- cmdline="$*"
- echo "test: $name"
- $cmdline
- status=$?
- if [ x$status = x0 ]; then
- echo "success: $name"
- else
- echo "failure: $name"
- failed=`expr $failed + 1`
- fi
- return $status
-}
+. `dirname $0`/../../../testprogs/blackbox/subunit.sh
testit "simple-default" $PYTHON ./setup/provision $CONFIGURATION --domain=FOO --realm=foo.example.com --targetdir=$PREFIX/simple-default
testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
@@ -34,9 +20,6 @@ testit "simple-standalone" $PYTHON ./setup/provision $CONFIGURATION --server-rol
testit "blank-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/blank-dc --blank
testit "partitions-only-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/partitions-only-dc --partitions-only
-testit "newuser" $PYTHON ./setup/newuser --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testpass
-testit "setpassword" $PYTHON ./setup/setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testpass
-
reprovision() {
$PYTHON ./setup/provision $CONFIGURATION --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/reprovision"
$PYTHON ./setup/provision $CONFIGURATION --domain=FOO --realm=foo.example.com --targetdir="$PREFIX/reprovision"
diff --git a/source4/setup/tests/blackbox_setpassword.sh b/source4/setup/tests/blackbox_setpassword.sh
new file mode 100755
index 0000000000..725466150c
--- /dev/null
+++ b/source4/setup/tests/blackbox_setpassword.sh
@@ -0,0 +1,22 @@
+#!/bin/sh
+
+if [ $# -lt 2 ]; then
+cat <<EOF
+Usage: blackbox_setpassword.sh PREFIX CONFIGURATION
+EOF
+exit 1;
+fi
+
+PREFIX="$1"
+CONFIGURATION="$2"
+shift 2
+
+. `dirname $0`/../../../testprogs/blackbox/subunit.sh
+
+testit "simple-dc" $PYTHON ./setup/provision $CONFIGURATION --server-role="dc" --domain=FOO --realm=foo.example.com --domain-sid=S-1-5-21-4177067393-1453636373-93818738 --targetdir=$PREFIX/simple-dc
+
+testit "newuser" $PYTHON ./setup/newuser --configfile=$PREFIX/simple-dc/etc/smb.conf testuser testpass
+
+testit "setpassword" $PYTHON ./setup/setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testpass
+
+exit $failed
diff --git a/source4/setup/upgrade.py b/source4/setup/upgrade
index 3bcc57ab64..03c6747d4e 100755
--- a/source4/setup/upgrade.py
+++ b/source4/setup/upgrade
@@ -7,10 +7,14 @@
import getopt
import optparse
import os, sys
-import param
+
+# Find right directory when running from source tree
+sys.path.insert(0, "bin/python")
+
import samba
import samba.getopt as options
-from auth import system_session
+from samba import param
+from samba.auth import system_session
parser = optparse.OptionParser("upgrade [options] <libdir> <smbconf>")
sambaopts = options.SambaOptions(parser)
diff --git a/source4/setup/vampire.py b/source4/setup/vampire.py
deleted file mode 100755
index 728c53146a..0000000000
--- a/source4/setup/vampire.py
+++ /dev/null
@@ -1,53 +0,0 @@
-#!/usr/bin/python
-
-# Unix SMB/CIFS implementation.
-# Vampire a remote domain
-# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007
-#
-# This program is free software; you can redistribute it and/or modify
-# it under the terms of the GNU General Public License as published by
-# the Free Software Foundation; either version 3 of the License, or
-# (at your option) any later version.
-#
-# This program is distributed in the hope that it will be useful,
-# but WITHOUT ANY WARRANTY; without even the implied warranty of
-# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-# GNU General Public License for more details.
-#
-# You should have received a copy of the GNU General Public License
-# along with this program. If not, see <http://www.gnu.org/licenses/>.
-#
-
-from net import libnet
-import optparse
-import samba.getopt as options
-import param
-from auth import system_session
-import sys
-
-parser = optparse.OptionParser("vampire [options] <domain>")
-sambaopts = options.SambaOptions(parser)
-parser.add_option_group(sambaopts)
-parser.add_option_group(options.VersionOptions(parser))
-credopts = options.CredentialsOptions(parser)
-parser.add_option_group(credopts)
-
-opts, args = parser.parse_args()
-
-if len(args) < 1:
- parser.print_usage()
- sys.exit(1)
-
-def vampire(domain, session_info, credentials, lp):
- ctx = libnet(lp_ctx=lp)
- ctx.cred = credentials
- machine_creds = Credentials();
- machine_creds.set_domain(domain);
- if not machine_creds.set_machine_account():
- raise Exception("Failed to access domain join information!")
- ctx.samsync_ldb(vampire_ctx, machine_creds=machine_creds,
- session_info=session_info)
-
-lp = sambaopts.get_loadparm()
-vampire(args[0], session_info=system_session(),
- credentials=credopts.get_credentials(), lp=lp)