this commit includes all the changes on the OV_9510_INTEGRATION and

OV_MERGE branches.  This includes, but is not limited to, the new openvision
admin system, and major changes to gssapi to add functionality, and bring
the implementation in line with rfc1964.  before committing, the
code was built and tested for netbsd and solaris.

git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@8774 dc483132-0cff-0310-8789-dd5450dbe970

20 files changed, 2417 insertions, 0 deletions

diff --git a/src/kadmin/testing/scripts/ChangeLog b/src/kadmin/testing/scripts/ChangeLog
new file mode 100644
index 000000000..5d7069186
--- /dev/null
+++ b/src/kadmin/testing/scripts/ChangeLog
@@ -0,0 +1,15 @@
+Fri Jul 12 14:48:20 1996  Marc Horowitz  <marc@mit.edu>
+
+	* stop_servers_local (true, false): use the path to find these,
+ 	instead of looking in /bin explicitly.
+
+	* start_servers_local (/usr/tmp): /usr/tmp doesn't exist on some
+ 	systems.  Check for that and /var/tmp, and use the one which
+ 	exists.  (true, false): use the path to find these, instead of
+ 	looking in /bin explicitly.
+
+	* make-host-keytab.pl.in: perl5 requires that @ in strings be
+ 	backwhacked.  (EDIT_KEYTAB): ovsec_adm_keytab is now kadm5_keytab.
+	
+  	* init_db: kadmin_create should be kdb5_create
+
diff --git a/src/kadmin/testing/scripts/Makefile.ov b/src/kadmin/testing/scripts/Makefile.ov
new file mode 100644
index 000000000..335b636e7
--- /dev/null
+++ b/src/kadmin/testing/scripts/Makefile.ov
@@ -0,0 +1,19 @@
+# $Id$
+
+TOP = ../..
+include $(TOP)/config.mk/template
+
+GEN_SCRIPTS = compare_dump.pl fixup-conf-files.pl make-host-keytab.pl \
+	simple_dump.pl verify_xrunner_report.pl
+
+all:: $(GEN_SCRIPTS)
+
+%.pl: %.pl.in
+	-rm -f $@.tmp
+	echo "#!$(PERL)" > $@.tmp
+	sed 1d $@.in >> $@.tmp
+	chmod +x $@.tmp
+	mv $@.tmp $@
+
+clean::
+	-rm -f $(GEN_SCRIPTS) *.tmp
diff --git a/src/kadmin/testing/scripts/compare_dump.pl.in b/src/kadmin/testing/scripts/compare_dump.pl.in
new file mode 100644
index 000000000..df93df4a0
--- /dev/null
+++ b/src/kadmin/testing/scripts/compare_dump.pl.in
@@ -0,0 +1,242 @@
+#!/usr/local/bin/perl
+
+#
+# $Id$
+#
+
+# $debug = 1;
+
+sub usage { die "usage: $0 before after changes\n";}
+
+sub unique {
+    local(@list) = @_;
+    local(%ary);
+
+    print "unique? ",join(" ",@list),"\n" if $debug;
+
+    foreach (@list) {
+	return(0) if $ary{$_}++;
+    }
+
+    1;
+}
+
+$before = shift(@ARGV) || &usage;
+$debug++ if $before =~ /^-d/;
+$before = shift(@ARGV) || &usage if $debug;
+$after = shift(@ARGV) || &usage;
+$changes = shift(@ARGV) || &usage;
+@ARGV && &usage;
+
+%policy =
+    (
+     "FIRST",2,
+     "pw_min_life",2,
+     "pw_max_life",3,
+     "pw_min_length",4,
+     "pw_min_classes",5,
+     "pw_history_num",6,
+     "policy_refcnt",7,
+     "LAST",7,
+     );
+
+%princ =
+    (
+     "FIRST",2,
+     "kvno",2,
+     "mod_name",3,
+     "max_life",4,
+     "princ_expire_time",5,
+     "expiration",5,
+     "pw_expiration",6,
+     "attributes",7,
+     "policy",8,
+     "aux_attributes",9,
+     "LAST",9,
+     );
+
+%keytab =
+    (
+     "LAST",-1,
+     );
+
+sub re { # @_ = ($cnt, $line)
+    local($cnt, $line) = @_;
+    local(@fields) = split(' ',$line);
+
+    @list = ('\S+') x $cnt;
+    for $f (@fields[3..$#fields]) {
+	($f =~ /=/) || die "Bad field: $f in $_";
+	if (!defined($this{$`})) { die "Bad parameter $` in $_"; }
+
+        if (($list[$this{$`}] = $') eq '\S+') {
+	    $list[$this{$`}] = '[^\s]+';
+	}
+    }
+    
+    join('\s+',@list)."\$";
+}
+
+open(CHANGES, $changes) || die "Couldn't open $changes: $!\n";
+
+while(<CHANGES>) {
+    next if s/^\s*\#\#\!\s*\#//;
+    next if !s/^\s*\#\#\!\s*//;
+
+    split;
+
+    if ($_[1] =~ /princ/) {
+	%this = %princ;
+	$this = "princ";
+    } elsif ($_[1] =~ /policy/) {
+	%this = %policy;
+	$this = "policy";
+    } elsif ($_[1] =~ /keytab/) {
+	%this = %keytab;
+	$this = $_[1];
+    } else {
+	die "Bad line: $_";
+    }
+
+    $cnt = $this{"LAST"}+1;
+
+    if ($_[0] =~ /add/) {
+	$diff{"+$this\t$_[2]"} = &re($cnt,$_);
+    } elsif ($_[0] =~ /delete/) {
+	$diff{"-$this\t$_[2]"} = &re($cnt,$_);
+    } elsif ($_[0] =~ /changefrom/) {
+	$diff{"-$this\t$_[2]"} = &re($cnt,$_);
+    } elsif ($_[0] =~ /changeto/) {
+	$ndiff{"-$this\t$_[2]"} = &re($cnt,$_);
+    } else {
+	die "Bad line: $_";
+    }
+}
+
+close(CHANGES);
+
+if ($debug) {
+    for (keys %diff) {
+	print " %diff: \"$_\" /$diff{$_}/\n";
+    }
+
+    for (keys %ndiff) {
+	print "%ndiff: \"$_\" /$ndiff{$_}/\n";
+    }
+
+    print "\n";
+}
+
+open(DIFF,"gdiff -u0 $before $after|") || die "Couldn't diff: $!\n";
+
+$warnings = 0;
+
+while(<DIFF>) {
+    next if /^\+{3}/;
+    next if /^\-{3}/;
+    next if /^@@/;
+
+    print "LINE: $_" if $debug;
+
+    split;
+
+    $key = "$_[0]\t$_[1]";
+    $re = $diff{$key};
+
+    delete $diff{$key};
+
+    print "%diff: \"$key\" /$re/\n" if $debug;
+
+    if (!$re) {
+	warn "Unexpected: \"$key\"\n";
+	$warnings++;
+	next;
+    }
+
+    if (!/$re/) {
+	warn "Failed: $key\n";
+	$warnings++;
+	next;
+    }
+
+    if ($new = $ndiff{$key}) {
+	delete $ndiff{$key};
+
+	@new = split(/\\s\+/, $new);
+	for ($i=1;$i<@new;$i++) {
+	    print "NEW: $new[$i]\n" if $debug;
+
+	    if ($new[$i] ne '\S+') {
+		$_[$i] = $new[$i];
+	    }
+	}
+	$_[0] =~ s/^\-//;
+	$key =~ s/^\-/\+/;
+
+	$diff{$key} = join("\t",@_);
+    }
+}
+
+close(DIFF);
+
+open(BEFORE, $before) || die "Couldn't open $before: $!\n";
+
+while(<BEFORE>) {
+    next if !/^keytab/;
+
+    split;
+
+    if (!$seen{$key = $_[0]." ".$_[1]}++) {
+	$key =~ s/-\d+$//;
+	$ktkeys{$key} .= " ".$_[2];
+	$kttimes{$key} .= " ".$_[3];
+    }
+}
+
+close(BEFORE);
+
+open(AFTER, $after) || die "Couldn't open $after: $!\n";
+
+while(<AFTER>) {
+    next if !/^keytab/;
+
+    split;
+
+    if (!$seen{$key = $_[0]." ".$_[1]}++) {
+	$key =~ s/-\d+$//;
+	$ktkeys{$key} .= " ".$_[2];
+	$kttimes{$key} .= " ".$_[3];
+    }
+}
+
+close(AFTER);
+
+for (keys %diff) {
+    warn "Unseen: \"$_\" /$diff{$_}/\n";
+    $warnings++;
+}
+
+for (keys %ndiff) {
+    warn "Unseen changes: \"$_\" /$ndiff{$_}/\n";
+    $warnings++;
+}
+
+for (keys %ktkeys) {
+    if (!&unique(split(' ',$ktkeys{$_}))) {
+	warn "Some keys not unique for $_\n";
+	$warnings++;
+    }
+}
+
+for (keys %kttimes) {
+    if (!&unique(split(' ',$kttimes{$_}))) {
+	warn "Some timestamps not unique for $_\n";
+	$warnings++;
+    }
+}
+
+if ($warnings) {
+    warn "$warnings warnings.\n";
+}
+
+exit($warnings);
diff --git a/src/kadmin/testing/scripts/compare_dump.plin b/src/kadmin/testing/scripts/compare_dump.plin
new file mode 100644
index 000000000..df93df4a0
--- /dev/null
+++ b/src/kadmin/testing/scripts/compare_dump.plin
@@ -0,0 +1,242 @@
+#!/usr/local/bin/perl
+
+#
+# $Id$
+#
+
+# $debug = 1;
+
+sub usage { die "usage: $0 before after changes\n";}
+
+sub unique {
+    local(@list) = @_;
+    local(%ary);
+
+    print "unique? ",join(" ",@list),"\n" if $debug;
+
+    foreach (@list) {
+	return(0) if $ary{$_}++;
+    }
+
+    1;
+}
+
+$before = shift(@ARGV) || &usage;
+$debug++ if $before =~ /^-d/;
+$before = shift(@ARGV) || &usage if $debug;
+$after = shift(@ARGV) || &usage;
+$changes = shift(@ARGV) || &usage;
+@ARGV && &usage;
+
+%policy =
+    (
+     "FIRST",2,
+     "pw_min_life",2,
+     "pw_max_life",3,
+     "pw_min_length",4,
+     "pw_min_classes",5,
+     "pw_history_num",6,
+     "policy_refcnt",7,
+     "LAST",7,
+     );
+
+%princ =
+    (
+     "FIRST",2,
+     "kvno",2,
+     "mod_name",3,
+     "max_life",4,
+     "princ_expire_time",5,
+     "expiration",5,
+     "pw_expiration",6,
+     "attributes",7,
+     "policy",8,
+     "aux_attributes",9,
+     "LAST",9,
+     );
+
+%keytab =
+    (
+     "LAST",-1,
+     );
+
+sub re { # @_ = ($cnt, $line)
+    local($cnt, $line) = @_;
+    local(@fields) = split(' ',$line);
+
+    @list = ('\S+') x $cnt;
+    for $f (@fields[3..$#fields]) {
+	($f =~ /=/) || die "Bad field: $f in $_";
+	if (!defined($this{$`})) { die "Bad parameter $` in $_"; }
+
+        if (($list[$this{$`}] = $') eq '\S+') {
+	    $list[$this{$`}] = '[^\s]+';
+	}
+    }
+    
+    join('\s+',@list)."\$";
+}
+
+open(CHANGES, $changes) || die "Couldn't open $changes: $!\n";
+
+while(<CHANGES>) {
+    next if s/^\s*\#\#\!\s*\#//;
+    next if !s/^\s*\#\#\!\s*//;
+
+    split;
+
+    if ($_[1] =~ /princ/) {
+	%this = %princ;
+	$this = "princ";
+    } elsif ($_[1] =~ /policy/) {
+	%this = %policy;
+	$this = "policy";
+    } elsif ($_[1] =~ /keytab/) {
+	%this = %keytab;
+	$this = $_[1];
+    } else {
+	die "Bad line: $_";
+    }
+
+    $cnt = $this{"LAST"}+1;
+
+    if ($_[0] =~ /add/) {
+	$diff{"+$this\t$_[2]"} = &re($cnt,$_);
+    } elsif ($_[0] =~ /delete/) {
+	$diff{"-$this\t$_[2]"} = &re($cnt,$_);
+    } elsif ($_[0] =~ /changefrom/) {
+	$diff{"-$this\t$_[2]"} = &re($cnt,$_);
+    } elsif ($_[0] =~ /changeto/) {
+	$ndiff{"-$this\t$_[2]"} = &re($cnt,$_);
+    } else {
+	die "Bad line: $_";
+    }
+}
+
+close(CHANGES);
+
+if ($debug) {
+    for (keys %diff) {
+	print " %diff: \"$_\" /$diff{$_}/\n";
+    }
+
+    for (keys %ndiff) {
+	print "%ndiff: \"$_\" /$ndiff{$_}/\n";
+    }
+
+    print "\n";
+}
+
+open(DIFF,"gdiff -u0 $before $after|") || die "Couldn't diff: $!\n";
+
+$warnings = 0;
+
+while(<DIFF>) {
+    next if /^\+{3}/;
+    next if /^\-{3}/;
+    next if /^@@/;
+
+    print "LINE: $_" if $debug;
+
+    split;
+
+    $key = "$_[0]\t$_[1]";
+    $re = $diff{$key};
+
+    delete $diff{$key};
+
+    print "%diff: \"$key\" /$re/\n" if $debug;
+
+    if (!$re) {
+	warn "Unexpected: \"$key\"\n";
+	$warnings++;
+	next;
+    }
+
+    if (!/$re/) {
+	warn "Failed: $key\n";
+	$warnings++;
+	next;
+    }
+
+    if ($new = $ndiff{$key}) {
+	delete $ndiff{$key};
+
+	@new = split(/\\s\+/, $new);
+	for ($i=1;$i<@new;$i++) {
+	    print "NEW: $new[$i]\n" if $debug;
+
+	    if ($new[$i] ne '\S+') {
+		$_[$i] = $new[$i];
+	    }
+	}
+	$_[0] =~ s/^\-//;
+	$key =~ s/^\-/\+/;
+
+	$diff{$key} = join("\t",@_);
+    }
+}
+
+close(DIFF);
+
+open(BEFORE, $before) || die "Couldn't open $before: $!\n";
+
+while(<BEFORE>) {
+    next if !/^keytab/;
+
+    split;
+
+    if (!$seen{$key = $_[0]." ".$_[1]}++) {
+	$key =~ s/-\d+$//;
+	$ktkeys{$key} .= " ".$_[2];
+	$kttimes{$key} .= " ".$_[3];
+    }
+}
+
+close(BEFORE);
+
+open(AFTER, $after) || die "Couldn't open $after: $!\n";
+
+while(<AFTER>) {
+    next if !/^keytab/;
+
+    split;
+
+    if (!$seen{$key = $_[0]." ".$_[1]}++) {
+	$key =~ s/-\d+$//;
+	$ktkeys{$key} .= " ".$_[2];
+	$kttimes{$key} .= " ".$_[3];
+    }
+}
+
+close(AFTER);
+
+for (keys %diff) {
+    warn "Unseen: \"$_\" /$diff{$_}/\n";
+    $warnings++;
+}
+
+for (keys %ndiff) {
+    warn "Unseen changes: \"$_\" /$ndiff{$_}/\n";
+    $warnings++;
+}
+
+for (keys %ktkeys) {
+    if (!&unique(split(' ',$ktkeys{$_}))) {
+	warn "Some keys not unique for $_\n";
+	$warnings++;
+    }
+}
+
+for (keys %kttimes) {
+    if (!&unique(split(' ',$kttimes{$_}))) {
+	warn "Some timestamps not unique for $_\n";
+	$warnings++;
+    }
+}
+
+if ($warnings) {
+    warn "$warnings warnings.\n";
+}
+
+exit($warnings);
diff --git a/src/kadmin/testing/scripts/find-make.sh b/src/kadmin/testing/scripts/find-make.sh
new file mode 100644
index 000000000..904730dfa
--- /dev/null
+++ b/src/kadmin/testing/scripts/find-make.sh
@@ -0,0 +1,18 @@
+#!/bin/sh
+
+POSSIBILITIES='
+/usr/local/bin/gmake
+/usr/local/bin/make
+'
+
+for file in $POSSIBILITIES; do
+	if [ -f $file ]; then
+		echo $file
+		exit 0
+	fi
+done
+
+echo gmake
+echo '$0 could not find make!' 1>&2
+exit 1
+
diff --git a/src/kadmin/testing/scripts/fixup-conf-files.pl.in b/src/kadmin/testing/scripts/fixup-conf-files.pl.in
new file mode 100644
index 000000000..d7834d1c7
--- /dev/null
+++ b/src/kadmin/testing/scripts/fixup-conf-files.pl.in
@@ -0,0 +1,344 @@
+#!/usr/local/bin/perl
+#
+# Usage: fixup-conf-files.pl [-server hostname]
+
+$verbose = $ENV{'VERBOSE_TEST'};
+$archos = $ENV{'ARCH_OS'};
+
+$REALM = "SECURE-TEST.OV.COM";
+
+sub replace {
+    local($old, $new, $backup) = @_;
+    local($dev, $ino, $mode);
+
+    $new = $old.".new" if !$new;
+    $backup = $old.".bak" if !$backup;
+
+    chmod($mode,$new) if (($dev, $ino, $mode) = stat($old));
+
+    unlink($backup);
+    link($old, $backup) || die "couldn't make backup link: $backup: $!\n"
+	if -e $old;
+    rename($new, $old) || die "couldn't rename $old to $new: $!\n";
+}
+
+if (@ARGV == 2 && $ARGV[0] eq "-server") {
+    $servername = $ARGV[1];
+} elsif (@ARGV != 0) {
+    print STDERR "Usage: $0 fixup-conf-files.pl [-server hostname]\n";
+}
+
+sub canonicalize_name {
+    local($hostname) = @_;
+    local($d, $addr, $addrtype);
+    
+    ($host,$d,$addrtype,$d,$addr) = gethostbyname($hostname);
+    die "couldn't get hostname $hostname\n" if !$host;
+    ($host) = gethostbyaddr($addr,$addrtype);
+    die "couldn't reverse-resolve $hostname\n" if !$host;
+    return $host;
+}
+
+## Get server's canonical hostname.
+if ($servername) {
+    $serverhost = $servername;
+} else {
+    chop ($serverhost = `hostname`);
+}
+$serverhost = &canonicalize_name($serverhost);
+
+## Get local canonical hostname
+chop($localhost=`hostname`);
+$localhost = &canonicalize_name($localhost);
+
+## parse krb.conf
+
+if (open(KCONF, "/etc/athena/krb.conf")) {
+    chop($hrealm = <KCONF>);
+
+    $confok = 0;
+
+    while(<KCONF>) {
+	$confs .= $_ if !/^$REALM\s+/o;
+	$confok = 1 if /^$REALM\s+$serverhost\s+admin\s+server$/oi;
+    }
+
+    close(KCONF);
+}
+
+## rewrite krb.conf if necessary.
+
+if (($hrealm ne $REALM) || !$confok) {
+    print "Rewriting /etc/athena/krb.conf...\n" if $verbose;
+
+    open(KCONF, ">/etc/athena/krb.conf.new") ||
+	die "couldn't open /etc/athena/krb.conf.new: $!\n";
+
+    print KCONF "$REALM\n";
+    print KCONF "$REALM $serverhost admin server\n";
+    print KCONF $confs;
+
+    close(KCONF);
+
+    &replace("/etc/athena/krb.conf");
+}
+
+## parse krb.realms
+
+if (open(KREALMS, "/etc/athena/krb.realms")) {
+    $serverrealmok = 0;
+    $localrealmok = 0;
+
+    while(<KREALMS>) {
+	$realms .= $_
+	    if !/^$serverhost\s+$REALM$/oi && !/^$localhost\s+$REALM$/oi;
+	$serverrealmok = 1 if /^$serverhost\s+$REALM$/oi;
+	$localrealmok = 1 if /^$localhost\s+$REALM$/oi;
+    }
+
+    close(KREALMS);
+}
+
+## rewrite krb.realms if necessary.
+
+if (!$serverrealmok || !$localrealmok) {
+    print "Rewriting /etc/athean/krb.realms...\n" if $verbose;
+
+    open(KREALMS, ">/etc/athena/krb.realms.new") ||
+	die "couldn't open /etc/athena/krb.realms.new: $!\n";
+
+    print KREALMS "$serverhost $REALM\n";
+    print KREALMS "$localhost $REALM\n" if ($localhost ne $serverhost);
+    print KREALMS $realms;
+
+    close(KREALMS);
+
+    &replace("/etc/athena/krb.realms");
+}
+
+# ## read /etc/passwd
+# 
+# open(PASSWD, "/etc/passwd") || die "couldn't open /etc/passwd: $!\n";
+# 
+# $passok = 0;
+# 
+# if ($archos ne "solaris2.3") {
+#     %mypass =
+# 	(
+# 	 "root", crypt("testroot","St"),
+# 	 "testenc", crypt("notath","HJ"),
+# 	 "testuser", "KERBEROS5",
+# 	 "pol1", "KERBEROS5",
+# 	 "pol2", "KERBEROS5",
+# 	 "pol3", "KERBEROS5",
+# 	 );
+# } else {
+#     %mypass =
+# 	(
+# 	 "root", "x", 
+# 	 "testenc", "x",
+# 	 "testuser", "x",
+# 	 "pol1", "x",
+# 	 "pol2", "x", 
+# 	 "pol3", "x",
+# 	 );
+#     %myshadow =
+# 	(
+# 	 "root", crypt("testroot","St"),
+# 	 "testenc", crypt("notath","HJ"),
+# 	 "testuser", "KERBEROS5",
+# 	 "pol1", "KERBEROS5",
+# 	 "pol2", "KERBEROS5",
+# 	 "pol3", "KERBEROS5",
+# 	 );
+# }    
+# 
+# $chpw = 0;
+# 
+# while(<PASSWD>) {
+#     if (/^([^:]+):([^:]+):/ && $mypass{$1}) {
+# 	$users{$1}++;
+# 	if ($2 ne $mypass{$1}) {
+# 	    s/^([^:]+):([^:]+):/$1:$mypass{$1}:/;
+# 	    $chpw++;
+# 	}
+#     }
+#     $pass .= $_;
+# }
+# 
+# $passok = 1;
+# 
+# for (keys %mypass) {
+#     if (!$users{$_}) {
+# 	$pass .= "$_:$mypass{$_}:32765:101::/tmp:/bin/csh\n";
+# 	$passok = 0;
+#     }
+# }
+# close(PASSWD);
+# 
+# ## rewrite passwd if necessary.
+# 
+# if ($chpw || !$passok) {
+#     print "Rewriting /etc/passwd...\n" if $verbose;
+# 
+#     open(PASSWD, ">/etc/passwd.new") ||
+# 	die "couldn't open /etc/passwd.new: $!\n";
+# 
+#     print PASSWD $pass;
+# 
+#     close(PASSWD);
+# 
+#     &replace("/etc/passwd");
+# }
+# 
+# if ($archos eq "solaris2.3") {
+# 
+# ## read /etc/shadow
+# 
+#     open(SHADOW, "/etc/shadow") || die "couldn't open /etc/shadow: $!\n";
+# 
+#     $shadowok = 0;
+#     $chpw = 0;
+#     %users = ();
+# 
+#     while(<SHADOW>) {
+# 	if (/^([^:]+):([^:]+):/ && $myshadow{$1}) {
+# 	    $users{$1}++;
+# 	    if ($2 ne $myshadow{$1}) {
+# 		s/^([^:]+):([^:]+):/$1:$myshadow{$1}:/;
+# 		$chpw++;
+# 	    }
+# 	}
+# 	$shadow .= $_;
+#     }
+#     
+#     $shadowok = 1;
+#     
+#     for (keys %myshadow) {
+# 	if (!$users{$_}) {
+# 	    $shadow .= "$_:$myshadow{$_}:6445::::::\n";
+# 	    $shadowok = 0;
+# 	}
+#     }
+#     close(SHADOW);
+#     
+# ## rewrite shadow if necessary.
+#     
+#     if ($chpw || !$shadowok) {
+# 	print "Rewriting /etc/shadow...\n" if $verbose;
+# 	
+# 	open(SHADOW, ">/etc/shadow.new") ||
+# 	    die "couldn't open /etc/shadow.new: $!\n";
+# 	
+# 	print SHADOW $shadow;
+# 	
+# 	close(SHADOW);
+# 	
+# 	&replace("/etc/shadow");
+#     }
+# }
+# 
+# if ($archos eq "aix3.2") {
+# 
+# ## read /etc/security/passwd
+# 
+#     open(SHADOW, "/etc/security/passwd") || die "couldn't open /etc/security/passwd: $!\n";
+# 
+#     $shadowok = 0;
+#     %users = ();
+# 
+#     while(<SHADOW>) {
+# 	if (/^([^:]+):\s*$/ && $mypass{$1}) {
+# 	    $user = $1;
+# 	    $users{$user}++;
+# 	    # arrange for the user to have a password entry and none other
+# 	    while (<SHADOW>) {
+# 		last if (!/=/);
+# 	    }
+# 	    $shadow .= "$user:\n\tpassword = KERBEROS5\n\n";
+# 	} else {
+# 	    $shadow .= $_;
+# 	}
+#     }
+#     
+#     $shadowok = 1;
+#     
+#     for (keys %mypass) {
+# 	if (!$users{$_}) {
+# 	    $shadow .= "$_:\n\tpassword = KERBEROS5\n\n";
+# 	    $shadowok = 0;
+# 	}
+#     }
+#     close(SHADOW);
+#     
+# ## rewrite shadow if necessary.
+#     
+#     if (!$shadowok) {
+# 	print "Rewriting /etc/security/passwd...\n" if $verbose;
+# 	
+# 	open(SHADOW, ">/etc/security/passwd.new") ||
+# 	    die "couldn't open /etc/security/passwd.new: $!\n";
+# 	
+# 	print SHADOW $shadow;
+# 	
+# 	close(SHADOW);
+# 	
+# 	&replace("/etc/security/passwd");
+#     }
+# }
+# 
+# open(SERVICES, "/etc/services") || die "couldn't open /etc/services: $!\n";
+# open(NEW_SERVICES, ">/etc/services.new") ||
+#     die "couldn't open /etc/services.new: $!\n";
+# 
+# print "Rewriting /etc/services...\n" if $verbose;
+# 
+# @needed_services = ('klogin', 'kshell', 'kerberos', 'kerberos-sec',
+# 		    'kerberos5', 'kerberos4', 'kerberos_master', 
+# 		    'passwd_server', 'eklogin', 'krb5_prop',
+# 		    'kerberos_adm', 'kerberos-adm');
+# for (@needed_services) {
+#     $needed_services{$_}++;
+# }
+# 
+# while (<SERVICES>) {
+#     m/^\s*([^\#\s][^\s]+)/;
+#     if ($needed_services{$1}) {
+# 	print "+ Commenting out old entry: $1\n" if $verbose;
+# 	print NEW_SERVICES "# $_";
+#     } else {
+# 	print NEW_SERVICES $_;
+#     }
+# }
+# 
+# close(SERVICES);
+# 
+# print NEW_SERVICES <<EOF || die "writing to /etc/services.new: $!\n";
+# 
+# klogin		543/tcp				# Kerberos authenticated rlogin
+# kshell          544/tcp         cmd             # and remote shell
+# kerberos	88/udp 		kdc		# Kerberos authentication--udp
+# kerberos	88/tcp 		kdc		# Kerberos authentication--tcp
+# kerberos-sec	750/udp 			# Kerberos authentication--udp
+# kerberos-sec	750/tcp 			# Kerberos authentication--tcp
+# kerberos5	88/udp 		kdc		# Kerberos authentication--udp
+# kerberos5	88/tcp 		kdc		# Kerberos authentication--tcp
+# kerberos4	750/udp 			# Kerberos authentication--udp
+# kerberos4	750/tcp 			# Kerberos authentication--tcp
+# kerberos_master	751/udp 			# Kerberos authentication
+# kerberos_master	751/tcp 			# Kerberos authentication
+# passwd_server	752/udp				# Kerberos passwd server
+# eklogin		2105/tcp			# Kerberos encrypted rlogin
+# krb5_prop	754/tcp				# Kerberos slave propagation
+# kerberos_adm	752/tcp				# Kerberos 5 admin/changepw
+# kerberos-adm	752/tcp				# Kerberos 5 admin/changepw
+# EOF
+# 
+# close(NEW_SERVICES) || die "error closing /etc/services.new: $!\n";
+# 
+# rename("/etc/services", "/etc/services.old") ||
+#     die "couldn't rename /etc/services to /etc/services.old: $!\n";
+# rename("/etc/services.new", "/etc/services") ||
+#     die "couldn't rename /etc/services.new to /etc/services: $!\n";
+# unlink("/etc/services.old") || die "couldn't unlink /etc/services: $!\n";
+# 
diff --git a/src/kadmin/testing/scripts/fixup-conf-files.plin b/src/kadmin/testing/scripts/fixup-conf-files.plin
new file mode 100644
index 000000000..d7834d1c7
--- /dev/null
+++ b/src/kadmin/testing/scripts/fixup-conf-files.plin
@@ -0,0 +1,344 @@
+#!/usr/local/bin/perl
+#
+# Usage: fixup-conf-files.pl [-server hostname]
+
+$verbose = $ENV{'VERBOSE_TEST'};
+$archos = $ENV{'ARCH_OS'};
+
+$REALM = "SECURE-TEST.OV.COM";
+
+sub replace {
+    local($old, $new, $backup) = @_;
+    local($dev, $ino, $mode);
+
+    $new = $old.".new" if !$new;
+    $backup = $old.".bak" if !$backup;
+
+    chmod($mode,$new) if (($dev, $ino, $mode) = stat($old));
+
+    unlink($backup);
+    link($old, $backup) || die "couldn't make backup link: $backup: $!\n"
+	if -e $old;
+    rename($new, $old) || die "couldn't rename $old to $new: $!\n";
+}
+
+if (@ARGV == 2 && $ARGV[0] eq "-server") {
+    $servername = $ARGV[1];
+} elsif (@ARGV != 0) {
+    print STDERR "Usage: $0 fixup-conf-files.pl [-server hostname]\n";
+}
+
+sub canonicalize_name {
+    local($hostname) = @_;
+    local($d, $addr, $addrtype);
+    
+    ($host,$d,$addrtype,$d,$addr) = gethostbyname($hostname);
+    die "couldn't get hostname $hostname\n" if !$host;
+    ($host) = gethostbyaddr($addr,$addrtype);
+    die "couldn't reverse-resolve $hostname\n" if !$host;
+    return $host;
+}
+
+## Get server's canonical hostname.
+if ($servername) {
+    $serverhost = $servername;
+} else {
+    chop ($serverhost = `hostname`);
+}
+$serverhost = &canonicalize_name($serverhost);
+
+## Get local canonical hostname
+chop($localhost=`hostname`);
+$localhost = &canonicalize_name($localhost);
+
+## parse krb.conf
+
+if (open(KCONF, "/etc/athena/krb.conf")) {
+    chop($hrealm = <KCONF>);
+
+    $confok = 0;
+
+    while(<KCONF>) {
+	$confs .= $_ if !/^$REALM\s+/o;
+	$confok = 1 if /^$REALM\s+$serverhost\s+admin\s+server$/oi;
+    }
+
+    close(KCONF);
+}
+
+## rewrite krb.conf if necessary.
+
+if (($hrealm ne $REALM) || !$confok) {
+    print "Rewriting /etc/athena/krb.conf...\n" if $verbose;
+
+    open(KCONF, ">/etc/athena/krb.conf.new") ||
+	die "couldn't open /etc/athena/krb.conf.new: $!\n";
+
+    print KCONF "$REALM\n";
+    print KCONF "$REALM $serverhost admin server\n";
+    print KCONF $confs;
+
+    close(KCONF);
+
+    &replace("/etc/athena/krb.conf");
+}
+
+## parse krb.realms
+
+if (open(KREALMS, "/etc/athena/krb.realms")) {
+    $serverrealmok = 0;
+    $localrealmok = 0;
+
+    while(<KREALMS>) {
+	$realms .= $_
+	    if !/^$serverhost\s+$REALM$/oi && !/^$localhost\s+$REALM$/oi;
+	$serverrealmok = 1 if /^$serverhost\s+$REALM$/oi;
+	$localrealmok = 1 if /^$localhost\s+$REALM$/oi;
+    }
+
+    close(KREALMS);
+}
+
+## rewrite krb.realms if necessary.
+
+if (!$serverrealmok || !$localrealmok) {
+    print "Rewriting /etc/athean/krb.realms...\n" if $verbose;
+
+    open(KREALMS, ">/etc/athena/krb.realms.new") ||
+	die "couldn't open /etc/athena/krb.realms.new: $!\n";
+
+    print KREALMS "$serverhost $REALM\n";
+    print KREALMS "$localhost $REALM\n" if ($localhost ne $serverhost);
+    print KREALMS $realms;
+
+    close(KREALMS);
+
+    &replace("/etc/athena/krb.realms");
+}
+
+# ## read /etc/passwd
+# 
+# open(PASSWD, "/etc/passwd") || die "couldn't open /etc/passwd: $!\n";
+# 
+# $passok = 0;
+# 
+# if ($archos ne "solaris2.3") {
+#     %mypass =
+# 	(
+# 	 "root", crypt("testroot","St"),
+# 	 "testenc", crypt("notath","HJ"),
+# 	 "testuser", "KERBEROS5",
+# 	 "pol1", "KERBEROS5",
+# 	 "pol2", "KERBEROS5",
+# 	 "pol3", "KERBEROS5",
+# 	 );
+# } else {
+#     %mypass =
+# 	(
+# 	 "root", "x", 
+# 	 "testenc", "x",
+# 	 "testuser", "x",
+# 	 "pol1", "x",
+# 	 "pol2", "x", 
+# 	 "pol3", "x",
+# 	 );
+#     %myshadow =
+# 	(
+# 	 "root", crypt("testroot","St"),
+# 	 "testenc", crypt("notath","HJ"),
+# 	 "testuser", "KERBEROS5",
+# 	 "pol1", "KERBEROS5",
+# 	 "pol2", "KERBEROS5",
+# 	 "pol3", "KERBEROS5",
+# 	 );
+# }    
+# 
+# $chpw = 0;
+# 
+# while(<PASSWD>) {
+#     if (/^([^:]+):([^:]+):/ && $mypass{$1}) {
+# 	$users{$1}++;
+# 	if ($2 ne $mypass{$1}) {
+# 	    s/^([^:]+):([^:]+):/$1:$mypass{$1}:/;
+# 	    $chpw++;
+# 	}
+#     }
+#     $pass .= $_;
+# }
+# 
+# $passok = 1;
+# 
+# for (keys %mypass) {
+#     if (!$users{$_}) {
+# 	$pass .= "$_:$mypass{$_}:32765:101::/tmp:/bin/csh\n";
+# 	$passok = 0;
+#     }
+# }
+# close(PASSWD);
+# 
+# ## rewrite passwd if necessary.
+# 
+# if ($chpw || !$passok) {
+#     print "Rewriting /etc/passwd...\n" if $verbose;
+# 
+#     open(PASSWD, ">/etc/passwd.new") ||
+# 	die "couldn't open /etc/passwd.new: $!\n";
+# 
+#     print PASSWD $pass;
+# 
+#     close(PASSWD);
+# 
+#     &replace("/etc/passwd");
+# }
+# 
+# if ($archos eq "solaris2.3") {
+# 
+# ## read /etc/shadow
+# 
+#     open(SHADOW, "/etc/shadow") || die "couldn't open /etc/shadow: $!\n";
+# 
+#     $shadowok = 0;
+#     $chpw = 0;
+#     %users = ();
+# 
+#     while(<SHADOW>) {
+# 	if (/^([^:]+):([^:]+):/ && $myshadow{$1}) {
+# 	    $users{$1}++;
+# 	    if ($2 ne $myshadow{$1}) {
+# 		s/^([^:]+):([^:]+):/$1:$myshadow{$1}:/;
+# 		$chpw++;
+# 	    }
+# 	}
+# 	$shadow .= $_;
+#     }
+#     
+#     $shadowok = 1;
+#     
+#     for (keys %myshadow) {
+# 	if (!$users{$_}) {
+# 	    $shadow .= "$_:$myshadow{$_}:6445::::::\n";
+# 	    $shadowok = 0;
+# 	}
+#     }
+#     close(SHADOW);
+#     
+# ## rewrite shadow if necessary.
+#     
+#     if ($chpw || !$shadowok) {
+# 	print "Rewriting /etc/shadow...\n" if $verbose;
+# 	
+# 	open(SHADOW, ">/etc/shadow.new") ||
+# 	    die "couldn't open /etc/shadow.new: $!\n";
+# 	
+# 	print SHADOW $shadow;
+# 	
+# 	close(SHADOW);
+# 	
+# 	&replace("/etc/shadow");
+#     }
+# }
+# 
+# if ($archos eq "aix3.2") {
+# 
+# ## read /etc/security/passwd
+# 
+#     open(SHADOW, "/etc/security/passwd") || die "couldn't open /etc/security/passwd: $!\n";
+# 
+#     $shadowok = 0;
+#     %users = ();
+# 
+#     while(<SHADOW>) {
+# 	if (/^([^:]+):\s*$/ && $mypass{$1}) {
+# 	    $user = $1;
+# 	    $users{$user}++;
+# 	    # arrange for the user to have a password entry and none other
+# 	    while (<SHADOW>) {
+# 		last if (!/=/);
+# 	    }
+# 	    $shadow .= "$user:\n\tpassword = KERBEROS5\n\n";
+# 	} else {
+# 	    $shadow .= $_;
+# 	}
+#     }
+#     
+#     $shadowok = 1;
+#     
+#     for (keys %mypass) {
+# 	if (!$users{$_}) {
+# 	    $shadow .= "$_:\n\tpassword = KERBEROS5\n\n";
+# 	    $shadowok = 0;
+# 	}
+#     }
+#     close(SHADOW);
+#     
+# ## rewrite shadow if necessary.
+#     
+#     if (!$shadowok) {
+# 	print "Rewriting /etc/security/passwd...\n" if $verbose;
+# 	
+# 	open(SHADOW, ">/etc/security/passwd.new") ||
+# 	    die "couldn't open /etc/security/passwd.new: $!\n";
+# 	
+# 	print SHADOW $shadow;
+# 	
+# 	close(SHADOW);
+# 	
+# 	&replace("/etc/security/passwd");
+#     }
+# }
+# 
+# open(SERVICES, "/etc/services") || die "couldn't open /etc/services: $!\n";
+# open(NEW_SERVICES, ">/etc/services.new") ||
+#     die "couldn't open /etc/services.new: $!\n";
+# 
+# print "Rewriting /etc/services...\n" if $verbose;
+# 
+# @needed_services = ('klogin', 'kshell', 'kerberos', 'kerberos-sec',
+# 		    'kerberos5', 'kerberos4', 'kerberos_master', 
+# 		    'passwd_server', 'eklogin', 'krb5_prop',
+# 		    'kerberos_adm', 'kerberos-adm');
+# for (@needed_services) {
+#     $needed_services{$_}++;
+# }
+# 
+# while (<SERVICES>) {
+#     m/^\s*([^\#\s][^\s]+)/;
+#     if ($needed_services{$1}) {
+# 	print "+ Commenting out old entry: $1\n" if $verbose;
+# 	print NEW_SERVICES "# $_";
+#     } else {
+# 	print NEW_SERVICES $_;
+#     }
+# }
+# 
+# close(SERVICES);
+# 
+# print NEW_SERVICES <<EOF || die "writing to /etc/services.new: $!\n";
+# 
+# klogin		543/tcp				# Kerberos authenticated rlogin
+# kshell          544/tcp         cmd             # and remote shell
+# kerberos	88/udp 		kdc		# Kerberos authentication--udp
+# kerberos	88/tcp 		kdc		# Kerberos authentication--tcp
+# kerberos-sec	750/udp 			# Kerberos authentication--udp
+# kerberos-sec	750/tcp 			# Kerberos authentication--tcp
+# kerberos5	88/udp 		kdc		# Kerberos authentication--udp
+# kerberos5	88/tcp 		kdc		# Kerberos authentication--tcp
+# kerberos4	750/udp 			# Kerberos authentication--udp
+# kerberos4	750/tcp 			# Kerberos authentication--tcp
+# kerberos_master	751/udp 			# Kerberos authentication
+# kerberos_master	751/tcp 			# Kerberos authentication
+# passwd_server	752/udp				# Kerberos passwd server
+# eklogin		2105/tcp			# Kerberos encrypted rlogin
+# krb5_prop	754/tcp				# Kerberos slave propagation
+# kerberos_adm	752/tcp				# Kerberos 5 admin/changepw
+# kerberos-adm	752/tcp				# Kerberos 5 admin/changepw
+# EOF
+# 
+# close(NEW_SERVICES) || die "error closing /etc/services.new: $!\n";
+# 
+# rename("/etc/services", "/etc/services.old") ||
+#     die "couldn't rename /etc/services to /etc/services.old: $!\n";
+# rename("/etc/services.new", "/etc/services") ||
+#     die "couldn't rename /etc/services.new to /etc/services: $!\n";
+# unlink("/etc/services.old") || die "couldn't unlink /etc/services: $!\n";
+# 
diff --git a/src/kadmin/testing/scripts/init_db b/src/kadmin/testing/scripts/init_db
new file mode 100644
index 000000000..c53ff96c1
--- /dev/null
+++ b/src/kadmin/testing/scripts/init_db
@@ -0,0 +1,181 @@
+#!/bin/sh
+
+# If it's set, set it to true
+VERBOSE=${VERBOSE_TEST:+true}
+# Otherwise, set it to false
+DUMMY=${VERBOSE:=false}
+
+if $VERBOSE; then
+	REDIRECT=
+else
+	REDIRECT='>/dev/null'
+fi
+
+# Requires that /krb5, /etc/krb.conf, and .k5.$REALM be world-writeable.
+
+if [ "$TOP" = "" ]; then
+	echo "init_db: Environment variable \$TOP must point to top of build tree" 1>&2
+	exit 1
+fi
+
+IROOT=$TOP/..
+ADMIN=$TOP/create:$IROOT/admin/stash:$IROOT/admin/destroy
+BIN=$IROOT/bin
+ETC=$IROOT/etc
+SBIN=$TOP/keytab:$TOP/server
+DUMMY=${REALM=SECURE-TEST.OV.COM}; export REALM
+
+DUMMY=${TESTDIR=$TOP/testing}; export TESTDIR
+DUMMY=${SRVTCL=$TESTDIR/util/ovsec_kadm_srv_tcl}; export SRVTCL
+DUMMY=${TCLUTIL=$TESTDIR/tcl/util.t}; export TCLUTIL
+DUMMY=${LOCAL_MAKE_KEYTAB=$TESTDIR/scripts/make-host-keytab.pl}
+
+PATH=$ADMIN:$BIN:$ETC:$SBIN:$PATH; export PATH
+
+rm -rf /krb5/*
+if [ -d /krb5 ]; then
+	true
+else
+	mkdir /krb5
+fi
+
+# touch /krb5/syslog
+# for pid in `$PS_ALL | awk '/syslogd/ && !/awk/  {print $2}'` ; do
+# 	case "$pid" in
+# 		xxx) ;;
+# 		*)
+# 			if $VERBOSE; then $PS_PID$pid | grep -v COMMAND; fi
+# 			kill -1 $pid
+# 			;;
+# 	esac
+# done
+
+sed -e "s/__REALM__/$REALM/" < $TESTDIR/proto/krb5.conf.proto > /krb5/krb5.conf
+sed -e "s/__REALM__/$REALM/" < $TESTDIR/proto/kdc.conf.proto > /krb5/kdc.conf
+
+kdb5_create -P mrroot -s -r $REALM $REDIRECT
+
+cp $TESTDIR/proto/ovsec_adm.dict /krb5/ovsec_adm.dict
+
+eval $SRVTCL <<'EOF' $REDIRECT
+source $env(TCLUTIL)
+set r $env(REALM)
+
+set cmds {
+    {ovsec_kadm_init $env(SRVTCL) mrroot null $r $OVSEC_KADM_STRUCT_VERSION \
+	    $OVSEC_KADM_API_VERSION_1 server_handle}
+
+    {ovsec_kadm_create_policy $server_handle "test-pol 0 10000 8 2 3 0" \
+	    {OVSEC_KADM_POLICY OVSEC_KADM_PW_MIN_LENGTH OVSEC_KADM_PW_MIN_CLASSES OVSEC_KADM_PW_MAX_LIFE OVSEC_KADM_PW_HISTORY_NUM}}
+    {ovsec_kadm_create_policy $server_handle "once-a-min 30 0 0 0 0 0" \
+	    {OVSEC_KADM_POLICY OVSEC_KADM_PW_MIN_LIFE}}
+    {ovsec_kadm_create_policy $server_handle "dict-only 0 0 0 0 0 0" \
+	    {OVSEC_KADM_POLICY}}
+    {ovsec_kadm_create_policy $server_handle [simple_policy test-pol-nopw] \
+	    {OVSEC_KADM_POLICY}}
+
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal testuser@$r] {OVSEC_KADM_PRINCIPAL} notathena}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal test1@$r] {OVSEC_KADM_PRINCIPAL} test1}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal test2@$r] {OVSEC_KADM_PRINCIPAL} test2}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal test3@$r] {OVSEC_KADM_PRINCIPAL} test3}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/get@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/modify@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/delete@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/add@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/none@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/rename@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/mod-add@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/mod-delete@$r] {OVSEC_KADM_PRINCIPAL} \
+	    admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/get-add@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/get-delete@$r] {OVSEC_KADM_PRINCIPAL} \
+	    admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/get-mod@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/no-add@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal admin/no-delete@$r] {OVSEC_KADM_PRINCIPAL} admin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [princ_w_pol pol1@$r test-pol] {OVSEC_KADM_PRINCIPAL \
+	    OVSEC_KADM_POLICY} pol111111}
+    {ovsec_kadm_create_principal $server_handle \
+	    [princ_w_pol pol2@$r once-a-min] {OVSEC_KADM_PRINCIPAL \
+	    OVSEC_KADM_POLICY} pol222222}
+    {ovsec_kadm_create_principal $server_handle \
+	    [princ_w_pol pol3@$r dict-only] {OVSEC_KADM_PRINCIPAL \
+	    OVSEC_KADM_POLICY} pol333333}
+    {ovsec_kadm_create_principal $server_handle \
+	    [princ_w_pol admin/get-pol@$r test-pol-nopw] \
+	    {OVSEC_KADM_PRINCIPAL OVSEC_KADM_POLICY} StupidAdmin}
+    {ovsec_kadm_create_principal $server_handle \
+	    [princ_w_pol admin/pol@$r test-pol-nopw] {OVSEC_KADM_PRINCIPAL \
+	    OVSEC_KADM_POLICY} StupidAdmin}
+
+    {ovsec_kadm_create_principal $server_handle \
+	    [simple_principal changepw/kerberos] \
+            {OVSEC_KADM_PRINCIPAL} {XXX THIS IS WRONG}}
+
+    {ovsec_kadm_destroy $server_handle}
+}
+
+foreach cmd $cmds {
+    if {[catch $cmd output]} {
+	puts stderr "Error!  Command: $cmd\nError: $output"
+	exit 1
+    } else {
+	puts stdout $output
+    }
+}
+EOF
+
+if [ $? -ne 0 ]; then
+	echo "Error in $SRVTCL!" 1>&2
+	exit 1
+fi
+
+cat > /krb5/ovsec_adm.acl <<EOF
+admin@$REALM			admcil
+admin/get@$REALM		il
+admin/modify@$REALM		mc
+admin/delete@$REALM		d
+admin/add@$REALM		a
+admin/get-pol@$REALM		il
+admin/rename@$REALM		adil
+admin/mod-add@$REALM		amc
+admin/mod-delete@$REALM		mcd
+admin/get-add@$REALM		ail
+admin/get-delete@$REALM		ild
+admin/get-mod@$REALM		ilmc
+admin/no-add@$REALM		mcdil
+admin/no-delete@$REALM		amcil
+changepw/kerberos@$REALM	cil
+
+EOF
+
+eval $LOCAL_MAKE_KEYTAB -princ kadmin/admin -princ kadmin/changepw -princ ovsec_adm/admin -princ ovsec_adm/changepw /krb5/ovsec_adm.srvtab $REDIRECT
+
+# Create /krb5/setup.csh to make it easy to run other programs against
+# the test db
+cat > /krb5/setup.csh <<EOF
+setenv KRB5_CONFIG $KRB5_CONFIG
+setenv KRB5_KDC_PROFILE $KRB5_KDC_PROFILE
+setenv KRB5_KTNAME $KRB5_KTNAME
+EOF
+
diff --git a/src/kadmin/testing/scripts/make-host-keytab.pl.in b/src/kadmin/testing/scripts/make-host-keytab.pl.in
new file mode 100644
index 000000000..14d7b10b5
--- /dev/null
+++ b/src/kadmin/testing/scripts/make-host-keytab.pl.in
@@ -0,0 +1,138 @@
+#!/usr/local/bin/perl 
+
+$server = undef;
+@princs = ();
+$top = undef;
+
+($whoami = $0) =~ s,.*/,,;
+$usage = "Usage: $whoami [ -server server ] [ -princ principal ]
+		[ -top dirname ] [ -verbose ] filename
+	Server defaults to the local host.
+	Default principals are host/hostname\@SECURE-TEST.OV.COM and
+	  test/hostname\@SECURE-TEST.OV.COM.
+	If any principals are specified, the default principals are
+	  not added to the srvtab.
+	The string \"xCANONHOSTx\" in a principal specification will be
+	  replaced by the canonical host name of the local host.";
+
+@ORIG_ARGV = @ARGV;
+
+while (($_ = $ARGV[0]) && /^-/) {
+    shift;
+    if (/^-server$/) {
+	($server = shift) || die "Missing argument to $_ option.\n$usage\n";
+    }
+    elsif (/^-princ$/) {
+	($princ = shift) || die "Missing argument to $_ option.\n$usage\n";
+	push(@princs, $princ);
+    }
+    elsif (/^-top$/) {
+	($top = shift) || die "Missing argument to $_ option.\n$usage\n";
+    }
+    elsif (/^-verbose$/) {
+	$verbose++;
+    }
+    elsif (/^--$/) {
+	last;
+    }
+    else {
+	die "Unknown option $_.\n$usage\n";
+    }
+}
+
+@princs = ("host/xCANONHOSTx\@SECURE-TEST.OV.COM",
+	   "test/xCANONHOSTx\@SECURE-TEST.OV.COM")
+    if (! @princs);
+
+$ktfile = shift(@ARGV) || die "need a keytab file\n";
+
+$verbose++ if ($ENV{'VERBOSE_TEST'});
+
+print "In $0 @ORIG_ARGV...\n" if ($verbose);
+
+chop ($canonhost = `hostname`);
+
+($canonhost,$aliases,$addrtype,$length,@addrs) = gethostbyname($canonhost);
+die "couldn't get canonical hostname\n" if !($canonhost && @addrs);
+($canonhost) = gethostbyaddr($addrs[0],$addrtype);
+die "couldn't get canonical hostname\n" if (!$canonhost);
+
+for (@princs) {
+    s/xCANONHOSTx/$canonhost/g;
+}
+
+die "Neither \$TOP nor \$TESTDIR is set, and -top not specified.\n"
+    if (! ($top || $ENV{'TOP'} || $ENV{'TESTDIR'}));
+
+$top = $ENV{'TOP'} if (! $top);
+$TESTDIR = ($ENV{'TESTDIR'} || "$top/testing");
+$MAKE_KEYTAB = ($ENV{'MAKE_KEYTAB'} || "$TESTDIR/scripts/$whoami");
+$SRVTCL = ($ENV{'SRVTCL'} || "$TESTDIR/util/ovsec_kadm_srv_tcl");
+$TCLUTIL = ($ENV{'TCLUTIL'} || "$TESTDIR/tcl/util.t");
+# This'll be wrong sometimes
+$RSH_CMD = ($ENV{'RSH_CMD'} || '/usr/ucb/rsh');
+$EDIT_KEYTAB = ($ENV{'EDIT_KEYTAB'} || "$top/keytab/kadm5_keytab.local");
+
+if ($server) {
+# XXX Using /usr/ucb/rsh for now.
+
+# Strip command line options because we're adding our own.
+
+    $MAKE_KEYTAB =~ s/ .*//;
+
+    if ($ENV{'TOP'} && ($top ne $ENV{'TOP'})) {
+# Replace the old TOP with the new one where necessary
+	for ('TESTDIR', 'SRVTCL', 'TCLUTIL', 'MAKE_KEYTAB') {
+	    eval "\$$_ =~ s/^\$ENV{'TOP'}/\$top/;";
+	}
+
+# Make the paths as short as possible so our command line isn't too long.
+#	for ('SRVTCL', 'TCLUTIL', 'MAKE_KEYTAB') {
+#	    eval "\$$_ =~ s/^\$TESTDIR/\\\\\\\$TESTDIR/;";
+#	}
+#	for ('TESTDIR', 'SRVTCL', 'TCLUTIL', 'MAKE_KEYTAB') {
+#	    eval "\$$_ =~ s/^\$top/\\\\\\\$TOP/;";
+#	}
+    }
+
+    $cmd = "cd $top; \\`testing/scripts/find-make.sh\\` execute TOP=$top ";
+    $cmd .= "VERBOSE_TEST=$verbose " if ($verbose);
+    $cmd .= "TESTDIR=$TESTDIR ";
+    $cmd .= "SRVTCL=$SRVTCL ";
+    $cmd .= "TCLUTIL=$TCLUTIL ";
+
+    $cmd .= "CMD='$MAKE_KEYTAB ";
+    for (@princs) {
+	$cmd .= "-princ $_ ";
+    }
+    $cmd .= " /tmp/make-keytab.$canonhost.$$'";#';
+
+    $cmd = "$RSH_CMD $server -l root -n \"$cmd\"";
+
+    $cmd2 = "$RSH_CMD $server -l root -n \"cat /tmp/make-keytab.$canonhost.$$\" > $ktfile";
+
+    $cmd3 = "$RSH_CMD $server -l root -n \"rm /tmp/make-keytab.$canonhost.$$\"";
+
+    for ($cmd, $cmd2, $cmd3) {
+	print "$_\n" if ($verbose);
+
+	system($_) && die "Couldn't run $_: $!.\n";
+    }
+}
+else {
+    $redirect = "> /dev/null" if (! $verbose);
+
+    $cmd = "$EDIT_KEYTAB -k $ktfile";
+    $cmd .= " -q" if (! $verbose);
+    $cmd .= " -a -c";
+    for (@princs) {
+	if (system "$cmd $_") {
+	    sleep(1);
+	    die "Error in system($cmd $_)\n";
+	}
+    }
+}
+
+if (! -f $ktfile) {
+    die "$ktfile not created.\n";
+}
diff --git a/src/kadmin/testing/scripts/make-host-keytab.plin b/src/kadmin/testing/scripts/make-host-keytab.plin
new file mode 100644
index 000000000..14d7b10b5
--- /dev/null
+++ b/src/kadmin/testing/scripts/make-host-keytab.plin
@@ -0,0 +1,138 @@
+#!/usr/local/bin/perl 
+
+$server = undef;
+@princs = ();
+$top = undef;
+
+($whoami = $0) =~ s,.*/,,;
+$usage = "Usage: $whoami [ -server server ] [ -princ principal ]
+		[ -top dirname ] [ -verbose ] filename
+	Server defaults to the local host.
+	Default principals are host/hostname\@SECURE-TEST.OV.COM and
+	  test/hostname\@SECURE-TEST.OV.COM.
+	If any principals are specified, the default principals are
+	  not added to the srvtab.
+	The string \"xCANONHOSTx\" in a principal specification will be
+	  replaced by the canonical host name of the local host.";
+
+@ORIG_ARGV = @ARGV;
+
+while (($_ = $ARGV[0]) && /^-/) {
+    shift;
+    if (/^-server$/) {
+	($server = shift) || die "Missing argument to $_ option.\n$usage\n";
+    }
+    elsif (/^-princ$/) {
+	($princ = shift) || die "Missing argument to $_ option.\n$usage\n";
+	push(@princs, $princ);
+    }
+    elsif (/^-top$/) {
+	($top = shift) || die "Missing argument to $_ option.\n$usage\n";
+    }
+    elsif (/^-verbose$/) {
+	$verbose++;
+    }
+    elsif (/^--$/) {
+	last;
+    }
+    else {
+	die "Unknown option $_.\n$usage\n";
+    }
+}
+
+@princs = ("host/xCANONHOSTx\@SECURE-TEST.OV.COM",
+	   "test/xCANONHOSTx\@SECURE-TEST.OV.COM")
+    if (! @princs);
+
+$ktfile = shift(@ARGV) || die "need a keytab file\n";
+
+$verbose++ if ($ENV{'VERBOSE_TEST'});
+
+print "In $0 @ORIG_ARGV...\n" if ($verbose);
+
+chop ($canonhost = `hostname`);
+
+($canonhost,$aliases,$addrtype,$length,@addrs) = gethostbyname($canonhost);
+die "couldn't get canonical hostname\n" if !($canonhost && @addrs);
+($canonhost) = gethostbyaddr($addrs[0],$addrtype);
+die "couldn't get canonical hostname\n" if (!$canonhost);
+
+for (@princs) {
+    s/xCANONHOSTx/$canonhost/g;
+}
+
+die "Neither \$TOP nor \$TESTDIR is set, and -top not specified.\n"
+    if (! ($top || $ENV{'TOP'} || $ENV{'TESTDIR'}));
+
+$top = $ENV{'TOP'} if (! $top);
+$TESTDIR = ($ENV{'TESTDIR'} || "$top/testing");
+$MAKE_KEYTAB = ($ENV{'MAKE_KEYTAB'} || "$TESTDIR/scripts/$whoami");
+$SRVTCL = ($ENV{'SRVTCL'} || "$TESTDIR/util/ovsec_kadm_srv_tcl");
+$TCLUTIL = ($ENV{'TCLUTIL'} || "$TESTDIR/tcl/util.t");
+# This'll be wrong sometimes
+$RSH_CMD = ($ENV{'RSH_CMD'} || '/usr/ucb/rsh');
+$EDIT_KEYTAB = ($ENV{'EDIT_KEYTAB'} || "$top/keytab/kadm5_keytab.local");
+
+if ($server) {
+# XXX Using /usr/ucb/rsh for now.
+
+# Strip command line options because we're adding our own.
+
+    $MAKE_KEYTAB =~ s/ .*//;
+
+    if ($ENV{'TOP'} && ($top ne $ENV{'TOP'})) {
+# Replace the old TOP with the new one where necessary
+	for ('TESTDIR', 'SRVTCL', 'TCLUTIL', 'MAKE_KEYTAB') {
+	    eval "\$$_ =~ s/^\$ENV{'TOP'}/\$top/;";
+	}
+
+# Make the paths as short as possible so our command line isn't too long.
+#	for ('SRVTCL', 'TCLUTIL', 'MAKE_KEYTAB') {
+#	    eval "\$$_ =~ s/^\$TESTDIR/\\\\\\\$TESTDIR/;";
+#	}
+#	for ('TESTDIR', 'SRVTCL', 'TCLUTIL', 'MAKE_KEYTAB') {
+#	    eval "\$$_ =~ s/^\$top/\\\\\\\$TOP/;";
+#	}
+    }
+
+    $cmd = "cd $top; \\`testing/scripts/find-make.sh\\` execute TOP=$top ";
+    $cmd .= "VERBOSE_TEST=$verbose " if ($verbose);
+    $cmd .= "TESTDIR=$TESTDIR ";
+    $cmd .= "SRVTCL=$SRVTCL ";
+    $cmd .= "TCLUTIL=$TCLUTIL ";
+
+    $cmd .= "CMD='$MAKE_KEYTAB ";
+    for (@princs) {
+	$cmd .= "-princ $_ ";
+    }
+    $cmd .= " /tmp/make-keytab.$canonhost.$$'";#';
+
+    $cmd = "$RSH_CMD $server -l root -n \"$cmd\"";
+
+    $cmd2 = "$RSH_CMD $server -l root -n \"cat /tmp/make-keytab.$canonhost.$$\" > $ktfile";
+
+    $cmd3 = "$RSH_CMD $server -l root -n \"rm /tmp/make-keytab.$canonhost.$$\"";
+
+    for ($cmd, $cmd2, $cmd3) {
+	print "$_\n" if ($verbose);
+
+	system($_) && die "Couldn't run $_: $!.\n";
+    }
+}
+else {
+    $redirect = "> /dev/null" if (! $verbose);
+
+    $cmd = "$EDIT_KEYTAB -k $ktfile";
+    $cmd .= " -q" if (! $verbose);
+    $cmd .= " -a -c";
+    for (@princs) {
+	if (system "$cmd $_") {
+	    sleep(1);
+	    die "Error in system($cmd $_)\n";
+	}
+    }
+}
+
+if (! -f $ktfile) {
+    die "$ktfile not created.\n";
+}
diff --git a/src/kadmin/testing/scripts/qualname b/src/kadmin/testing/scripts/qualname
new file mode 100644
index 000000000..3d047c550
--- /dev/null
+++ b/src/kadmin/testing/scripts/qualname
@@ -0,0 +1,18 @@
+#!/afs/athena/contrib/perl/p
+
+if ($#ARGV == -1) {
+    chop($hostname = `hostname`);
+} else {
+    $hostname = $ARGV[0];
+}
+
+if (! (($type,$addr) = (gethostbyname($hostname))[2,4])) {
+    print STDERR "No such host: $hostname\n";
+    exit(1);
+}
+if (! ($qualname = (gethostbyaddr($addr,$type))[0])) {
+    print STDERR "No address information for host $hostname\n";
+    exit(1);
+}
+print "$qualname\n";
+
diff --git a/src/kadmin/testing/scripts/save_files.sh b/src/kadmin/testing/scripts/save_files.sh
new file mode 100644
index 000000000..b9fc37319
--- /dev/null
+++ b/src/kadmin/testing/scripts/save_files.sh
@@ -0,0 +1,67 @@
+#!/bin/sh
+
+while [ $# -gt 0 ] ; do
+	case $1 in
+		-start_servers)
+			start_servers=$1
+			;;
+	esac
+	shift
+done
+
+# If it's set, set it to true
+VERBOSE=${VERBOSE_TEST:+true}
+# Otherwise, set it to false
+DUMMY=${VERBOSE:=false}
+
+# files="/etc/inetd.conf /etc/syslog.conf /etc/krb.conf \
+# 	/etc/krb.realms /etc/passwd /etc/services /etc/v5srvtab \
+# 	/etc/rc.local /etc/shadow /etc/security/passwd /.k5login \
+# 	/.secure/etc/passwd /etc/athena/inetd.conf"
+
+files="/etc/krb.conf /etc/krb.realms /etc/athena/krb.conf \
+	/etc/athena/krb.realms /etc/v5srvtab"
+
+name=`basename $0`
+
+make_dne_name()
+{
+	dne_name="/tmp/"`echo $1 | sed -e 's,/,#,g'`".did-not-exist"
+}
+	
+for f in $files ; do
+	if [ "$name" = "save_files.sh" ]; then
+		if [ -f $f.pre-secure ]; then 
+			if $VERBOSE; then
+			     echo "Warning!  $f.pre-secure exists, not saving."
+			fi
+		elif [ ! -f $f ]; then
+			make_dne_name $f
+			cp /dev/null $dne_name
+		else
+			cp $f $f.pre-secure
+		fi
+	else
+		make_dne_name $f
+		if [ -f $dne_name ]; then
+			rm -f $f $dne_name
+		elif [ ! -f $f.pre-secure ]; then
+			if [ "x$start_servers" = "x" ]; then
+			  echo "Warning!  $f.pre-secure does not exist!" 1>&2
+			fi
+		else
+			if cp $f.pre-secure $f; then
+				rm $f.pre-secure
+			else
+				echo "Warning! cp failed!" 1>&2
+			fi
+		fi
+	fi
+done
+
+# DUMMY=${INETD:=/etc/inetd}
+# if $VERBOSE; then
+# 	echo "Killing and restarting $INETD"
+# fi
+# kill `$PS_ALL | awk '/inetd/ && !/awk/ {print $2}'`
+# $INETD
diff --git a/src/kadmin/testing/scripts/simple_dump.pl.in b/src/kadmin/testing/scripts/simple_dump.pl.in
new file mode 100644
index 000000000..ea94ab2d1
--- /dev/null
+++ b/src/kadmin/testing/scripts/simple_dump.pl.in
@@ -0,0 +1,88 @@
+#!/usr/local/bin/perl
+
+#
+# $Id$
+#
+
+## ovsec_adm_export format
+## [0]"policy" [1]name [2]pw_min_life [3]pw_max_life [4]pw_min_length [5]pw_min_classes [6]pw_history_num [7]policy_refcnt
+## [0]"princ" [1]name [2]policy [3]aux_attributes [4]old_key_len [5]admin_history_kvno [6..]old_keys
+$oaevers = "1.0";
+
+open(SORT, "|sort") || die "Couldn't open pipe to sort for output: $!\n";
+
+open(OAE, "$ENV{'TOP'}/install/admin/ovsec_adm_export|") ||
+    die "Couldn't get oae: $!\n";
+
+$header = <OAE>;
+
+die "Not ovsec_adm_export output\n"
+    if ($header !~ /^OpenV\*Secure V(\d+\.\d+)/);
+
+$stdinvers = $1;
+
+die "Expected oae version $oaevers, got $stdinvers instead.\n"
+    if $stdinvers ne $oaevers;
+
+while(<OAE>) {
+    if (/^End of Database/) {
+	last;
+    } elsif (/^policy/) {
+	print SORT;
+    } elsif (/^princ/) {
+	split(/\t/);
+
+	$_[2] = "\"\"" if !$_[2];
+
+	$_[3] = hex("0x".$_[3]);
+
+	$princ{$_[1]} = sprintf("%s\t0x%04x",@_[2,3]);
+    }
+}
+
+## kdb_edit ddb format
+## [0]strlen(principal) [1]strlen(mod_name) [2]key.length [3]alt_key.length [4]salt_length [5]alt_salt_length [6]principal [7]key.key_type [8]key.contents [9]kvno [10]max_life [11]max_renewable_life [12]mkvno [13]expiration [14]pw_expiration [15]last_pwd_change [16]last_success [17]last_failed [18]fail_auth_count [19]mod_name [20]mod_date [21]attributes [22]salt_type [23]salt [24]alt_key.contents [25]alt_salt [26..33]expansion*8;
+$ddbvers = "2.0";
+
+open(DDB, "$ENV{'TOP'}/install/admin/kdb5_edit -r SECURE-TEST.OV.COM -R ddb|") ||
+    die "Couldn't get ddb: $!\n";
+
+$header = <DDB>;
+
+die "Not a kdb5_edit ddb\n"
+    if ($header !~ /^kdb5_edit load_dump version (\d+\.\d+)/);
+
+$stdinvers = $1;
+
+die "Expected ddb version $ddbvers, got $stdinvers instead.\n"
+    if $stdinvers ne $ddbvers;
+
+## [6]principal [9]kvno [19]mod_name [10]max_life [13]expiration [14]pw_expiration [21]attributes // [2]policy [3]aux_attributes
+
+while(<DDB>) {
+    split;
+
+    print SORT join("\t","princ",(@_)[6,9,19,10,13,14],
+		    sprintf("0x%04x",$_[21]),
+		    $princ{$_[6]}),"\n";
+}
+
+close(DDB);
+
+for $keytab (@ARGV) {
+    open(KLIST, "$ENV{'TOP'}/install/bin/klist -k -t -K FILE:$keytab|") ||
+	die "Couldn't list $keytab: $!\n";
+
+    $dummy = <KLIST>;
+    $dummy = <KLIST>;
+    $dummy = <KLIST>;
+
+    while(<KLIST>) {
+	s/^\s+//;
+	split;
+	printf(SORT "keytab:FILE:%s\t%s-%s\t%s\t%s,%s\n",$keytab,
+	       @_[3,0,4,1,2]);
+    }
+}
+
+close(SORT);
diff --git a/src/kadmin/testing/scripts/simple_dump.plin b/src/kadmin/testing/scripts/simple_dump.plin
new file mode 100644
index 000000000..ea94ab2d1
--- /dev/null
+++ b/src/kadmin/testing/scripts/simple_dump.plin
@@ -0,0 +1,88 @@
+#!/usr/local/bin/perl
+
+#
+# $Id$
+#
+
+## ovsec_adm_export format
+## [0]"policy" [1]name [2]pw_min_life [3]pw_max_life [4]pw_min_length [5]pw_min_classes [6]pw_history_num [7]policy_refcnt
+## [0]"princ" [1]name [2]policy [3]aux_attributes [4]old_key_len [5]admin_history_kvno [6..]old_keys
+$oaevers = "1.0";
+
+open(SORT, "|sort") || die "Couldn't open pipe to sort for output: $!\n";
+
+open(OAE, "$ENV{'TOP'}/install/admin/ovsec_adm_export|") ||
+    die "Couldn't get oae: $!\n";
+
+$header = <OAE>;
+
+die "Not ovsec_adm_export output\n"
+    if ($header !~ /^OpenV\*Secure V(\d+\.\d+)/);
+
+$stdinvers = $1;
+
+die "Expected oae version $oaevers, got $stdinvers instead.\n"
+    if $stdinvers ne $oaevers;
+
+while(<OAE>) {
+    if (/^End of Database/) {
+	last;
+    } elsif (/^policy/) {
+	print SORT;
+    } elsif (/^princ/) {
+	split(/\t/);
+
+	$_[2] = "\"\"" if !$_[2];
+
+	$_[3] = hex("0x".$_[3]);
+
+	$princ{$_[1]} = sprintf("%s\t0x%04x",@_[2,3]);
+    }
+}
+
+## kdb_edit ddb format
+## [0]strlen(principal) [1]strlen(mod_name) [2]key.length [3]alt_key.length [4]salt_length [5]alt_salt_length [6]principal [7]key.key_type [8]key.contents [9]kvno [10]max_life [11]max_renewable_life [12]mkvno [13]expiration [14]pw_expiration [15]last_pwd_change [16]last_success [17]last_failed [18]fail_auth_count [19]mod_name [20]mod_date [21]attributes [22]salt_type [23]salt [24]alt_key.contents [25]alt_salt [26..33]expansion*8;
+$ddbvers = "2.0";
+
+open(DDB, "$ENV{'TOP'}/install/admin/kdb5_edit -r SECURE-TEST.OV.COM -R ddb|") ||
+    die "Couldn't get ddb: $!\n";
+
+$header = <DDB>;
+
+die "Not a kdb5_edit ddb\n"
+    if ($header !~ /^kdb5_edit load_dump version (\d+\.\d+)/);
+
+$stdinvers = $1;
+
+die "Expected ddb version $ddbvers, got $stdinvers instead.\n"
+    if $stdinvers ne $ddbvers;
+
+## [6]principal [9]kvno [19]mod_name [10]max_life [13]expiration [14]pw_expiration [21]attributes // [2]policy [3]aux_attributes
+
+while(<DDB>) {
+    split;
+
+    print SORT join("\t","princ",(@_)[6,9,19,10,13,14],
+		    sprintf("0x%04x",$_[21]),
+		    $princ{$_[6]}),"\n";
+}
+
+close(DDB);
+
+for $keytab (@ARGV) {
+    open(KLIST, "$ENV{'TOP'}/install/bin/klist -k -t -K FILE:$keytab|") ||
+	die "Couldn't list $keytab: $!\n";
+
+    $dummy = <KLIST>;
+    $dummy = <KLIST>;
+    $dummy = <KLIST>;
+
+    while(<KLIST>) {
+	s/^\s+//;
+	split;
+	printf(SORT "keytab:FILE:%s\t%s-%s\t%s\t%s,%s\n",$keytab,
+	       @_[3,0,4,1,2]);
+    }
+}
+
+close(SORT);
diff --git a/src/kadmin/testing/scripts/start_servers b/src/kadmin/testing/scripts/start_servers
new file mode 100644
index 000000000..2e395faf8
--- /dev/null
+++ b/src/kadmin/testing/scripts/start_servers
@@ -0,0 +1,70 @@
+#!/bin/sh
+#
+# Usage: start_servers [hostname [path]]
+#
+# This script turns a host into a OpenV*Secure primary server for the
+# realm SECURE-TEST.OV.COM.  If no arguments are specified,
+# the local host is affected.  Otherwise, the host hostname is
+# affected; the path argument is the top of the Secure install tree on
+# that host, and if it is not specified the current canonical value of
+# TOP is used.
+
+DUMMY=${TESTDIR=$TOP/testing}
+DUMMY=${SAVE_FILES=$TESTDIR/scripts/save_files.sh}
+DUMMY=${FIX_CONF_FILES=$TESTDIR/scripts/fixup-conf-files.pl}
+DUMMY=${START_SERVERS_LOCAL=$TESTDIR/scripts/start_servers_local}
+# This'll be wrong sometimes
+DUMMY=${RSH_CMD=/usr/ucb/rsh}
+
+# If it's set, set it to true
+VERBOSE=${VERBOSE_TEST:+true}
+# Otherwise, set it to false
+DUMMY=${VERBOSE:=false}
+
+local=1
+
+if [ $# -gt 0 ]; then
+	if [ $# != 1 -a $# != 2 ]; then
+		echo "Usage: $0 [hostname [path]]" 1>&2
+		exit 1
+	fi
+
+	local=0
+	hostname=$1
+	if [ $# = 1 ]; then
+		rempath=`sh -c "cd $TOP && pwd"`
+	else
+		rempath=$2
+	fi
+fi
+
+if [ $local = 0 ]; then
+	$SAVE_FILES || exit 1
+	$FIX_CONF_FILES -server $hostname || exit 1
+
+# Using /usr/ucb/rsh and getting rid of "-k $REALM" until we get
+# around to fixing the fact that Kerberos rsh doesn't strip out "-k
+# REALM" when falling back.
+
+	START_SERVERS_LOCAL=`echo $START_SERVERS_LOCAL|sed "s%$TOP%$rempath%"`
+	CMD="$RSH_CMD $hostname -l root -n \
+	  \"cd $rempath; \\\`testing/scripts/find-make.sh\\\` execute VERBOSE_TEST=$VERBOSE_TEST \
+	    TOP=$rempath \
+	    CMD='$START_SERVERS_LOCAL $rempath'\""
+
+	if $VERBOSE; then
+		echo "+++"
+		echo "+++ Begin execution of start_servers_local on $hostname"
+		echo "+++"
+		echo $CMD
+	fi
+	eval $CMD
+	if $VERBOSE; then
+		echo "+++"
+		echo "+++ End execution of start_servers_local on $hostname"
+		echo "+++"
+	fi
+else
+	$START_SERVERS_LOCAL
+fi
+
diff --git a/src/kadmin/testing/scripts/start_servers_local b/src/kadmin/testing/scripts/start_servers_local
new file mode 100644
index 000000000..a9c8e7957
--- /dev/null
+++ b/src/kadmin/testing/scripts/start_servers_local
@@ -0,0 +1,196 @@
+#!/bin/sh
+
+DUMMY=${TESTDIR=$TOP/testing}
+DUMMY=${SAVE_FILES=$TESTDIR/scripts/save_files.sh}
+DUMMY=${FIX_CONF_FILES=$TESTDIR/scripts/fixup-conf-files.pl}
+DUMMY=${INITDB=$TESTDIR/scripts/init_db}
+DUMMY=${SRVTCL=$TESTDIR/util/ovsec_kadm_srv_tcl}; export SRVTCL
+DUMMY=${LOCAL_MAKE_KEYTAB=$TESTDIR/scripts/make-host-keytab.pl}
+DUMMY=${STOP_SERVERS_LOCAL=$TESTDIR/scripts/stop_servers_local}
+
+if [ -d /usr/tmp ]; then
+	usrtmp=/usr/tmp
+else
+	usrtmp=/var/tmp
+fi
+
+$STOP_SERVERS_LOCAL -start_servers
+
+# If it's set, set it to true
+VERBOSE=${VERBOSE_TEST:+true}
+# Otherwise, set it to false
+DUMMY=${VERBOSE:=false}
+
+if $VERBOSE; then
+	REDIRECT=
+else
+	REDIRECT='>/dev/null'
+fi
+
+v4files=false
+while :; do
+	case $1 in
+	-keysalt)
+		shift
+		if [ $# -gt 0 ]; then
+			keysalts="$keysalts $1"
+		else
+			break
+		fi
+		;;
+	-kdcport)
+		shift
+		if [ $# -gt 0 ]; then
+			kdcport=$1
+		else
+			break
+		fi
+		;;
+	-v4files)
+		if [ "`whoami`" != "root" ]; then
+			echo "You must be root to use -v4files!" 1>&2
+			exit 1
+		fi
+		v4files=true
+		;;
+	*)
+		break
+		;;
+	esac
+	shift
+done
+
+if [ $# -gt 1 ]; then
+	echo "Usage: $0 [-kdcport port] [-keysalts tuple] ... [top]" 1>&2
+	exit 1
+elif [ $# = 1 ]; then
+	TOP=$1
+	export TOP
+fi
+
+# fixup the system config files
+if $v4files; then
+	$SAVE_FILES || exit 1
+	$FIX_CONF_FILES || exit 1
+fi
+
+# create a fresh db
+
+$INITDB "$keysalts" || exit 1
+
+# Post-process the config files based on our arguments
+if [ "$keysalts" != "" ]; then
+	sedcmd="s/\([ 	]*supported_enctypes =\).*/\1 $keysalts/"
+	sed -e "$sedcmd" < /krb5/kdc.conf > /krb5/kdc.conf.new
+	mv /krb5/kdc.conf.new /krb5/kdc.conf
+fi
+if [ "$kdcport" != "" ] ; then
+	sedcmd="s/\(kdc_ports = .*\)[ 	]*/\1, $kdcport/"
+	sed -e "$sedcmd" < /krb5/kdc.conf > /krb5/kdc.conf.new
+	mv /krb5/kdc.conf.new /krb5/kdc.conf
+fi
+
+# allow admin to krlogin as root (for cleanup)
+DUMMY=${REALM=SECURE-TEST.OV.COM}; export REALM
+hostname=`hostname`
+QUALNAME=`$TOP/testing/scripts/qualname $hostname`; export QUALNAME
+
+eval $SRVTCL <<'EOF' $REDIRECT
+source $env(TOP)/testing/tcl/util.t
+set r $env(REALM)
+set q $env(QUALNAME)
+puts stdout [ovsec_kadm_init $env(SRVTCL) mrroot null $r \
+	$OVSEC_KADM_STRUCT_VERSION $OVSEC_KADM_API_VERSION_1 server_handle]
+puts stdout [ovsec_kadm_create_principal $server_handle \
+	[simple_principal host/$q@$r] {OVSEC_KADM_PRINCIPAL} notathena]
+puts stdout [ovsec_kadm_destroy $server_handle]
+EOF
+
+# rm -f /etc/v5srvtab
+# eval $LOCAL_MAKE_KEYTAB -princ host/xCANONHOSTx /etc/v5srvtab $REDIRECT
+
+# run the servers (from the build tree)
+
+adm_start_file=/tmp/adm_server_start.$$
+kdc_start_file=/tmp/kdc_server_start.$$
+
+rm -f $kdc_start_file
+
+(trap "" 2; cd $TOP/../kdc; ./krb5kdc; touch $kdc_start_file) \
+	< /dev/null > $usrtmp/kdc-log 2>&1 &
+
+s=10
+max_s=60
+sofar_s=0
+timewait_s=300
+
+while true; do
+	rm -f $adm_start_file
+
+	(sleep 5; cd $TOP/server; ./kadmind $ovadm_args; \
+		touch $adm_start_file) < /dev/null > $usrtmp/kadm-log 2>&1 &
+
+	# wait until they start
+
+	while [ $sofar_s -le $max_s ]; do
+		if $VERBOSE; then
+			echo "Sleeping for $s seconds to allow servers" \
+				"to start..."
+		fi
+
+		sofar_s=`expr $sofar_s + $s`
+
+		sleep $s
+
+		if [ -f $adm_start_file -a -f $kdc_start_file ]; then
+			break
+		fi
+
+	done
+
+	if [ $sofar_s -le $max_s ]; then
+		if $VERBOSE; then
+			LOG_USER='log_user 1'
+		else
+			LOG_USER='log_user 0'
+		fi
+		if expect <<EOF
+		$LOG_USER
+		spawn telnet localhost 1751
+		expect {
+			"Connection refused" {
+				close
+				wait
+				exit 1
+			}
+			"Connected" {
+				send "close\n"
+				close
+				wait
+				exit 0
+			}
+			default {
+				catch {close}
+				wait
+				exit 1
+			}
+		}
+EOF
+		then
+			rm -f $kdc_start_file $adm_start_file
+			break
+		else
+			if $VERBOSE; then
+				echo "Could not connect to Admin server;" \
+					"attempting restart ($sofar_s" \
+					"seconds so far)."
+			fi
+			max_s=$timewait_s
+			continue
+		fi
+	else
+		echo "Admin server or KDC failed to start after $sofar_s" \
+			"seconds." 1>&2
+		exit 1
+	fi
+done
diff --git a/src/kadmin/testing/scripts/stop_servers b/src/kadmin/testing/scripts/stop_servers
new file mode 100644
index 000000000..fc5372dd4
--- /dev/null
+++ b/src/kadmin/testing/scripts/stop_servers
@@ -0,0 +1,84 @@
+#!/bin/sh
+#
+# Usage: stop_servers [hostname [path]]
+#
+# This script turns a host into a OpenV*Secure primary server for the
+# realm SECURE-TEST.OV.COM.  If no arguments are specified,
+# the local host is affected.  Otherwise, the host hostname is
+# affected; the path argument is the top of the Secure install tree on
+# that host, and if it is not specified the current canonical value of
+# TOP is used.
+
+DUMMY=${TESTDIR=$TOP/testing}
+DUMMY=${FIX_CONF_FILES=$TESTDIR/scripts/fixup-conf-files.pl}
+DUMMY=${STOP_SERVERS_LOCAL=$TESTDIR/scripts/stop_servers_local}
+# This'll be wrong sometimes
+DUMMY=${RSH_CMD=/usr/ucb/rsh}
+DUMMY=${RESTORE_FILES=$TESTDIR/scripts/restore_files.sh}
+
+# If it's set, set it to true
+VERBOSE=${VERBOSE_TEST:+true}
+# Otherwise, set it to false
+DUMMY=${VERBOSE:=false}
+
+local=1
+
+if [ $# -gt 0 ]; then
+	if [ $# != 1 -a $# != 2 ]; then
+		echo "Usage: $0 [hostname [path]]" 1>&2
+		exit 1
+	fi
+
+	local=0
+	hostname=$1
+	if [ $# = 1 ]; then
+		rempath=`sh -c "cd $TOP && pwd"`
+	else
+		rempath=$2
+	fi
+fi
+
+if [ $local = 0 ]; then
+	if $VERBOSE; then
+		echo "+++ Stopping servers on remote host $hostname..."
+	fi
+
+#	$FIX_CONF_FILES -server $hostname
+#
+#	KRB5CCNAME=FILE:/tmp/krb5cc_stop_servers; export KRB5CCNAME
+#
+#	expect <<EOF
+#spawn kinit admin
+#expect {
+#	-re "Password for admin@SECURE-TEST.OV.COM" {
+#		send "admin\n"
+#	}
+#}
+#expect { eof { } }
+#EOF
+
+# Using /usr/ucb/rsh and getting rid of "-k REALM" until we get around
+# to fixing the fact that Kerberos rsh doesn't strip out "-k REALM"
+# when falling back.
+
+	STOP_SERVERS_LOCAL=`echo $STOP_SERVERS_LOCAL | sed "s%$TOP%$rempath%"`
+	CMD="$RSH_CMD $hostname -l root -n\
+	      \"cd $rempath; \\\`testing/scripts/find-make.sh\\\` execute VERBOSE_TEST=$VERBOSE_TEST \
+		TOP=$rempath \
+		CMD='$STOP_SERVERS_LOCAL $rempath'\""
+	if $VERBOSE; then
+		echo "+++"
+		echo "+++ Begin execution of stop_servers_local on $hostname"
+		echo "+++"
+		echo $CMD
+	fi
+	eval $CMD
+	if $VERBOSE; then
+		echo "+++"
+		echo "+++ End execution of stop_servers_local on $hostname"
+		echo "+++"
+	fi
+	$RESTORE_FILES
+else
+	$STOP_SERVERS_LOCAL
+fi
diff --git a/src/kadmin/testing/scripts/stop_servers_local b/src/kadmin/testing/scripts/stop_servers_local
new file mode 100644
index 000000000..c0a97ef27
--- /dev/null
+++ b/src/kadmin/testing/scripts/stop_servers_local
@@ -0,0 +1,49 @@
+#!/bin/sh
+
+DUMMY=${TESTDIR=$TOP/testing}
+DUMMY=${RESTORE_FILES=$TESTDIR/scripts/restore_files.sh}
+
+# If it's set, set it to true
+VERBOSE=${VERBOSE_TEST:+true}
+# Otherwise, set it to false
+DUMMY=${VERBOSE:=false}
+
+v4files=false
+while [ $# -gt 0 ] ; do
+	case $1 in
+		-start_servers)
+			start_servers=$1
+			;;
+		-v4files)
+			v4files=true
+			;;
+		*) 
+			TOP=$1
+			export TOP
+			;;
+	esac
+	shift
+done
+
+# kill any running servers.
+
+if $VERBOSE; then echo "Killing servers:"; fi
+
+for pid in xxx \
+	`$PS_ALL | grep krb5kdc | grep -v grep | awk '{print $2}'` \
+	`$PS_ALL | grep kadmind | grep -v grep | awk '{print $2}'` \
+	; do
+	case "$pid" in
+		xxx)
+			;;
+		*)
+			if $VERBOSE; then $PS_PID$pid | grep -v COMMAND; fi
+			kill $pid
+			;;
+	esac
+done
+
+# restore saved system config files
+if $v4files; then
+	$RESTORE_FILES $start_servers
+fi
diff --git a/src/kadmin/testing/scripts/verify_xrunner_report.pl.in b/src/kadmin/testing/scripts/verify_xrunner_report.pl.in
new file mode 100644
index 000000000..9d83c3ea2
--- /dev/null
+++ b/src/kadmin/testing/scripts/verify_xrunner_report.pl.in
@@ -0,0 +1,38 @@
+#!/usr/local/bin/perl
+
+sub usage { die "usage: $0 reportfile\n"; }
+
+$report = shift(@ARGV) || die &usage;
+
+open(REPORT, $report) || die "Couldn't open $report: $!\n";
+
+while(<REPORT>) {
+    if (/Process termination:/ && !/\bOK\b/) {
+	warn "Process termination not OK\n";
+	$warnings++;
+    } elsif (/Number of detected mismatches:\s*(\d+)/ && ($1 ne "0")) {
+	warn "Number of detected mismatches = $1\n";
+	$warnings++;
+    } elsif (/Detailed Results Description/) {
+	break;
+    }
+}
+
+while(<REPORT>) {
+    next if !/^\d+\s+/;
+
+    split;
+
+    if (($_[2] ne "run") &&
+	($_[2] ne "OK") &&
+	($_[2] ne "end-of-test")) {
+	warn "Unexpected result code $_[2] from test $_[4]\n";
+	$warnings++;
+    }
+}
+
+if ($warnings) {
+    warn "$warnings warnings.\n";
+}
+
+exit($warnings);
diff --git a/src/kadmin/testing/scripts/verify_xrunner_report.plin b/src/kadmin/testing/scripts/verify_xrunner_report.plin
new file mode 100644
index 000000000..9d83c3ea2
--- /dev/null
+++ b/src/kadmin/testing/scripts/verify_xrunner_report.plin
@@ -0,0 +1,38 @@
+#!/usr/local/bin/perl
+
+sub usage { die "usage: $0 reportfile\n"; }
+
+$report = shift(@ARGV) || die &usage;
+
+open(REPORT, $report) || die "Couldn't open $report: $!\n";
+
+while(<REPORT>) {
+    if (/Process termination:/ && !/\bOK\b/) {
+	warn "Process termination not OK\n";
+	$warnings++;
+    } elsif (/Number of detected mismatches:\s*(\d+)/ && ($1 ne "0")) {
+	warn "Number of detected mismatches = $1\n";
+	$warnings++;
+    } elsif (/Detailed Results Description/) {
+	break;
+    }
+}
+
+while(<REPORT>) {
+    next if !/^\d+\s+/;
+
+    split;
+
+    if (($_[2] ne "run") &&
+	($_[2] ne "OK") &&
+	($_[2] ne "end-of-test")) {
+	warn "Unexpected result code $_[2] from test $_[4]\n";
+	$warnings++;
+    }
+}
+
+if ($warnings) {
+    warn "$warnings warnings.\n";
+}
+
+exit($warnings);