Simplify k5test.py environments

The initial k5test.py design, copied from the dejagnu suite, is to
create config files and environments for four expected roles: client,
server, master, and slave.  This approach exaggerates the complexity
of the common case, where the configurations don't need to vary, and
limits us to having just one slave for kprop/iprop tests.

Instead, create just one configuration by default, and add a
special_env() method which sets up a differently configured
environment for the few test cases which need one.  The run_as_*()
methods are collapsed into just run(), which accepts an optional
argument for the environment returned by special_env().

5 files changed, 110 insertions, 123 deletions

diff --git a/src/tests/gssapi/t_ccselect.py b/src/tests/gssapi/t_ccselect.py
index 6b7bce617..8858fa868 100644
--- a/src/tests/gssapi/t_ccselect.py
+++ b/src/tests/gssapi/t_ccselect.py
@@ -42,27 +42,21 @@ gssserver = 'h:host@' + hostname
 # .k5identity rules since it has unknown type.
 refserver = 'p:host/' + hostname + '@'
 
-# Make each realm's keytab contain entries for both realm's servers.
-#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
-#                  (r2.keytab, r1.keytab, ktutil)])
-#r1.run_as_client(['/bin/sh', '-c', '(echo rkt %s; echo wkt %s) | %s' %
-#                  (r1.keytab, r2.keytab, ktutil)])
-
 # Verify that we can't get initiator creds with no credentials in the
 # collection.
-output = r1.run_as_client(['./t_ccselect', host1, '-'], expected_code=1)
+output = r1.run(['./t_ccselect', host1, '-'], expected_code=1)
 if 'No Kerberos credentials available' not in output:
     fail('Expected error not seen in output when no credentials available')
 
 # Make a directory collection and use it for client commands in both realms.
 ccdir = os.path.join(r1.testdir, 'cc')
 ccname = 'DIR:' + ccdir
-r1.env_client['KRB5CCNAME'] = ccname
-r2.env_client['KRB5CCNAME'] = ccname
+r1.env['KRB5CCNAME'] = ccname
+r2.env['KRB5CCNAME'] = ccname
 
 # Use .k5identity from testdir and not from the tester's homedir.
-r1.env_client['HOME'] = r1.testdir
-r2.env_client['HOME'] = r1.testdir
+r1.env['HOME'] = r1.testdir
+r2.env['HOME'] = r1.testdir
 
 # Create two users in r1 and one in r2.
 alice='alice@KRBTEST.COM'
@@ -77,32 +71,32 @@ r1.kinit(alice, password('alice'))
 r2.kinit(zaphod, password('zaphod'))
 
 # Check that we can find a cache for a specified client principal.
-output = r1.run_as_client(['./t_ccselect', host1, 'p:' + alice])
+output = r1.run(['./t_ccselect', host1, 'p:' + alice])
 if output != (alice + '\n'):
     fail('alice not chosen when specified')
-output = r2.run_as_client(['./t_ccselect', host2, 'p:' + zaphod])
+output = r2.run(['./t_ccselect', host2, 'p:' + zaphod])
 if output != (zaphod + '\n'):
     fail('zaphod not chosen when specified')
 
 # Check that we can guess a cache based on the service realm.
-output = r1.run_as_client(['./t_ccselect', host1])
+output = r1.run(['./t_ccselect', host1])
 if output != (alice + '\n'):
     fail('alice not chosen as default initiator cred for server in r1')
-output = r1.run_as_client(['./t_ccselect', host1, '-'])
+output = r1.run(['./t_ccselect', host1, '-'])
 if output != (alice + '\n'):
     fail('alice not chosen as default initiator name for server in r1')
-output = r2.run_as_client(['./t_ccselect', host2])
+output = r2.run(['./t_ccselect', host2])
 if output != (zaphod + '\n'):
     fail('zaphod not chosen as default initiator cred for server in r1')
-output = r2.run_as_client(['./t_ccselect', host2, '-'])
+output = r2.run(['./t_ccselect', host2, '-'])
 if output != (zaphod + '\n'):
     fail('zaphod not chosen as default initiator name for server in r1')
 
 # Check that primary cache is used if server realm is unknown.
-output = r2.run_as_client(['./t_ccselect', gssserver])
+output = r2.run(['./t_ccselect', gssserver])
 if output != (zaphod + '\n'):
     fail('zaphod not chosen via primary cache for unknown server realm')
-r1.run_as_client(['./t_ccselect', gssserver], expected_code=1)
+r1.run(['./t_ccselect', gssserver], expected_code=1)
 
 # Get a second cred in r1 (bob will be primary).
 r1.kinit(bob, password('bob'))
@@ -113,17 +107,16 @@ k5id.write('%s realm=%s\n' % (alice, r1.realm))
 k5id.write('%s service=ho*t host=%s\n' % (zaphod, hostname))
 k5id.write('noprinc service=bogus')
 k5id.close()
-output = r1.run_as_client(['./t_ccselect', host1])
+output = r1.run(['./t_ccselect', host1])
 if output != (alice + '\n'):
     fail('alice not chosen via .k5identity realm line.')
-output = r2.run_as_client(['./t_ccselect', gssserver])
+output = r2.run(['./t_ccselect', gssserver])
 if output != (zaphod + '\n'):
     fail('zaphod not chosen via .k5identity service/host line.')
-output = r1.run_as_client(['./t_ccselect', refserver])
+output = r1.run(['./t_ccselect', refserver])
 if output != (bob + '\n'):
     fail('bob not chosen via primary cache when no .k5identity line matches.')
-output = r1.run_as_client(['./t_ccselect', 'h:bogus@' + hostname],
-                          expected_code=1)
+output = r1.run(['./t_ccselect', 'h:bogus@' + hostname], expected_code=1)
 if 'Can\'t find client principal noprinc' not in output:
     fail('Expected error not seen when k5identity selects bad principal.')
 
diff --git a/src/tests/gssapi/t_client_keytab.py b/src/tests/gssapi/t_client_keytab.py
index 71566a5d3..484aacde3 100644
--- a/src/tests/gssapi/t_client_keytab.py
+++ b/src/tests/gssapi/t_client_keytab.py
@@ -9,126 +9,126 @@ phost = 'p:' + realm.host_princ
 puser = 'p:' + realm.user_princ
 pbob = 'p:' + bob
 gssserver = 'h:host@' + hostname
-realm.env_client['HOME'] = realm.testdir
+realm.env['HOME'] = realm.testdir
 realm.addprinc(bob, password('bob'))
 realm.extract_keytab(realm.user_princ, realm.client_keytab)
 realm.extract_keytab(bob, realm.client_keytab)
 
 # Test 1: no name/cache specified, pick first principal from client keytab
-out = realm.run_as_client(['./t_ccselect', phost])
+out = realm.run(['./t_ccselect', phost])
 if realm.user_princ not in out:
     fail('Authenticated as wrong principal')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
 
 # Test 2: no name/cache specified, pick principal from k5identity
 k5idname = os.path.join(realm.testdir, '.k5identity')
 k5id = open(k5idname, 'w')
 k5id.write('%s service=host host=%s\n' % (bob, hostname))
 k5id.close()
-out = realm.run_as_client(['./t_ccselect', gssserver])
+out = realm.run(['./t_ccselect', gssserver])
 if bob not in out:
     fail('Authenticated as wrong principal')
 os.remove(k5idname)
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
 
 # Test 3: no name/cache specified, default ccache has name but no creds
-realm.run_as_client(['./ccinit', realm.ccache, bob])
-out = realm.run_as_client(['./t_ccselect', phost])
+realm.run(['./ccinit', realm.ccache, bob])
+out = realm.run(['./t_ccselect', phost])
 if bob not in out:
     fail('Authenticated as wrong principal')
 # Leave tickets for next test.
 
 # Test 4: name specified, non-collectable default cache doesn't match
-out = realm.run_as_client(['./t_ccselect', phost, puser], expected_code=1)
+out = realm.run(['./t_ccselect', phost, puser], expected_code=1)
 if 'Principal in credential cache does not match desired name' not in out:
     fail('Expected error not seen')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
 
 # Test 5: name specified, nonexistent default cache
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+out = realm.run(['./t_ccselect', phost, pbob])
 if bob not in out:
     fail('Authenticated as wrong principal')
 # Leave tickets for next test.
 
 # Test 6: name specified, matches default cache, time to refresh
-realm.run_as_client(['./ccrefresh', realm.ccache, '1'])
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+realm.run(['./ccrefresh', realm.ccache, '1'])
+out = realm.run(['./t_ccselect', phost, pbob])
 if bob not in out:
     fail('Authenticated as wrong principal')
-out = realm.run_as_client(['./ccrefresh', realm.ccache])
+out = realm.run(['./ccrefresh', realm.ccache])
 if int(out) < 1000:
     fail('Credentials apparently not refreshed')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
 
 # Test 7: empty ccache specified, pick first principal from client keytab
-realm.run_as_client(['./t_imp_cred', phost])
+realm.run(['./t_imp_cred', phost])
 realm.klist(realm.user_princ)
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
 
 # Test 8: ccache specified with name but no creds; name not in client keytab
-realm.run_as_client(['./ccinit', realm.ccache, realm.host_princ])
-out = realm.run_as_client(['./t_imp_cred', phost], expected_code=1)
+realm.run(['./ccinit', realm.ccache, realm.host_princ])
+out = realm.run(['./t_imp_cred', phost], expected_code=1)
 if 'Credential cache is empty' not in out:
     fail('Expected error not seen')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
 
 # Test 9: ccache specified with name but no creds; name in client keytab
-realm.run_as_client(['./ccinit', realm.ccache, bob])
-realm.run_as_client(['./t_imp_cred', phost])
+realm.run(['./ccinit', realm.ccache, bob])
+realm.run(['./t_imp_cred', phost])
 realm.klist(bob)
 # Leave tickets for next test.
 
 # Test 10: ccache specified with creds, time to refresh
-realm.run_as_client(['./ccrefresh', realm.ccache, '1'])
-realm.run_as_client(['./t_imp_cred', phost])
+realm.run(['./ccrefresh', realm.ccache, '1'])
+realm.run(['./t_imp_cred', phost])
 realm.klist(bob)
-out = realm.run_as_client(['./ccrefresh', realm.ccache])
+out = realm.run(['./ccrefresh', realm.ccache])
 if int(out) < 1000:
     fail('Credentials apparently not refreshed')
-realm.run_as_client([kdestroy])
+realm.run([kdestroy])
 
 # Use a cache collection for the remaining tests.
 ccdir = os.path.join(realm.testdir, 'cc')
 ccname = 'DIR:' + ccdir
 os.mkdir(ccdir)
-realm.env_client['KRB5CCNAME'] = ccname
+realm.env['KRB5CCNAME'] = ccname
 
 # Test 11: name specified, matching cache in collection with no creds
 bobcache = os.path.join(ccdir, 'tktbob')
-realm.run_as_client(['./ccinit', bobcache, bob])
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+realm.run(['./ccinit', bobcache, bob])
+out = realm.run(['./t_ccselect', phost, pbob])
 if bob not in out:
     fail('Authenticated as wrong principal')
 # Leave tickets for next test.
 
 # Test 12: name specified, matching cache in collection, time to refresh
-realm.run_as_client(['./ccrefresh', bobcache, '1'])
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+realm.run(['./ccrefresh', bobcache, '1'])
+out = realm.run(['./t_ccselect', phost, pbob])
 if bob not in out:
     fail('Authenticated as wrong principal')
-out = realm.run_as_client(['./ccrefresh', bobcache])
+out = realm.run(['./ccrefresh', bobcache])
 if int(out) < 1000:
     fail('Credentials apparently not refreshed')
-realm.run_as_client([kdestroy, '-A'])
+realm.run([kdestroy, '-A'])
 
 # Test 13: name specified, collection has default for different principal
 realm.kinit(realm.user_princ, password('user'))
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+out = realm.run(['./t_ccselect', phost, pbob])
 if bob not in out:
     fail('Authenticated as wrong principal')
-out = realm.run_as_client([klist])
+out = realm.run([klist])
 if 'Default principal: %s\n' % realm.user_princ not in out:
     fail('Default cache overwritten by acquire_cred')
-realm.run_as_client([kdestroy, '-A'])
+realm.run([kdestroy, '-A'])
 
 # Test 14: name specified, collection has no default cache
-out = realm.run_as_client(['./t_ccselect', phost, pbob])
+out = realm.run(['./t_ccselect', phost, pbob])
 if bob not in out:
     fail('Authenticated as wrong principal')
 # Make sure the tickets we acquired didn't become the default
-out = realm.run_as_client([klist], expected_code=1)
+out = realm.run([klist], expected_code=1)
 if 'No credentials cache found' not in out:
     fail('Expected error not seen')
-realm.run_as_client([kdestroy, '-A'])
+realm.run([kdestroy, '-A'])
 
 success('Client keytab tests')
diff --git a/src/tests/gssapi/t_export_cred.py b/src/tests/gssapi/t_export_cred.py
index 3f7b6576d..53dd13c91 100644
--- a/src/tests/gssapi/t_export_cred.py
+++ b/src/tests/gssapi/t_export_cred.py
@@ -19,8 +19,8 @@ def ccache_restore(realm):
 # forwarded cred into the default ccache.
 def check(realm, args):
     ccache_restore(realm)
-    realm.run_as_client(['./t_export_cred'] + args)
-    output = realm.run_as_client([klist, '-f'])
+    realm.run(['./t_export_cred'] + args)
+    output = realm.run([klist, '-f'])
     if 'Flags: Ff' not in output:
         fail('Forwarded tickets not found in ccache after t_export_cred')
 
diff --git a/src/tests/gssapi/t_gssapi.py b/src/tests/gssapi/t_gssapi.py
index e453b7170..5f1d5d1ff 100755
--- a/src/tests/gssapi/t_gssapi.py
+++ b/src/tests/gssapi/t_gssapi.py
@@ -3,7 +3,7 @@ from k5test import *
 
 # Test krb5 negotiation under SPNEGO for all enctype configurations.
 for realm in multipass_realms():
-    realm.run_as_client(['./t_spnego','p:' + realm.host_princ, realm.keytab])
+    realm.run(['./t_spnego','p:' + realm.host_princ, realm.keytab])
 
 ### Test acceptor name behavior.
 
@@ -24,79 +24,75 @@ realm.run_kadminl('renprinc -force service1/abraham service1/andrew')
 
 # Test with no acceptor name, including client/keytab principal
 # mismatch (non-fatal) and missing keytab entry (fatal).
-output = realm.run_as_client(['./t_accname', 'p:service1/andrew'])
+output = realm.run(['./t_accname', 'p:service1/andrew'])
 if 'service1/abraham' not in output:
     fail('Expected service1/abraham in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service1/barack'])
+output = realm.run(['./t_accname', 'p:service1/barack'])
 if 'service1/barack' not in output:
     fail('Expected service1/barack in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service2/calvin'])
+output = realm.run(['./t_accname', 'p:service2/calvin'])
 if 'service2/calvin' not in output:
     fail('Expected service1/barack in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service2/dwight'],
-                             expected_code=1)
+output = realm.run(['./t_accname', 'p:service2/dwight'], expected_code=1)
 if 'Wrong principal in request' not in output:
     fail('Expected error message not seen in t_accname output')
 
 # Test with acceptor name containing service only, including
 # client/keytab hostname mismatch (non-fatal) and service name
 # mismatch (fatal).
-output = realm.run_as_client(['./t_accname', 'p:service1/andrew',
-                              'h:service1'])
+output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service1'])
 if 'service1/abraham' not in output:
     fail('Expected service1/abraham in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service1/andrew',
-                              'h:service2'], expected_code=1)
+output = realm.run(['./t_accname', 'p:service1/andrew', 'h:service2'],
+                   expected_code=1)
 if 'Wrong principal in request' not in output:
     fail('Expected error message not seen in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service2/calvin',
-                              'h:service2'])
+output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service2'])
 if 'service2/calvin' not in output:
     fail('Expected service2/calvin in t_accname output')
-output = realm.run_as_client(['./t_accname', 'p:service2/calvin',
-                              'h:service1'], expected_code=1)
+output = realm.run(['./t_accname', 'p:service2/calvin', 'h:service1'],
+                   expected_code=1)
 if 'Wrong principal in request' not in output:
     fail('Expected error message not seen in t_accname output')
 
 # Test with acceptor name containing service and host.  Use the
 # client's un-canonicalized hostname as acceptor input to mirror what
 # many servers do.
-output = realm.run_as_client(['./t_accname', 'p:' + realm.host_princ,
-                              'h:host@%s' % socket.gethostname()])
+output = realm.run(['./t_accname', 'p:' + realm.host_princ,
+                    'h:host@%s' % socket.gethostname()])
 if realm.host_princ not in output:
     fail('Expected %s in t_accname output' % realm.host_princ)
-output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-',
-                              'h:host@%s' % socket.gethostname()],
-                             expected_code=1)
+output = realm.run(['./t_accname', 'p:host/-nomatch-',
+                    'h:host@%s' % socket.gethostname()],
+                   expected_code=1)
 if 'Wrong principal in request' not in output:
     fail('Expected error message not seen in t_accname output')
 
 # Test krb5_gss_import_cred.
-realm.run_as_client(['./t_imp_cred', 'p:service1/barack'])
-realm.run_as_client(['./t_imp_cred', 'p:service1/barack', 'service1/barack'])
-realm.run_as_client(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham'])
-output = realm.run_as_client(['./t_imp_cred', 'p:service2/dwight'],
-                             expected_code=1)
+realm.run(['./t_imp_cred', 'p:service1/barack'])
+realm.run(['./t_imp_cred', 'p:service1/barack', 'service1/barack'])
+realm.run(['./t_imp_cred', 'p:service1/andrew', 'service1/abraham'])
+output = realm.run(['./t_imp_cred', 'p:service2/dwight'], expected_code=1)
 if 'Wrong principal in request' not in output:
     fail('Expected error message not seen in t_imp_cred output')
 
 # Test credential store extension.
 tmpccname = 'FILE:' + os.path.join(realm.testdir, 'def_cache')
-realm.env_client['KRB5CCNAME'] = tmpccname
+realm.env['KRB5CCNAME'] = tmpccname
 storagecache = 'FILE:' + os.path.join(realm.testdir, 'user_store')
 servicekeytab = os.path.join(realm.testdir, 'kt')
 service_cs = 'service/cs@%s' % realm.realm
 realm.addprinc(service_cs)
 realm.extract_keytab(service_cs, servicekeytab)
 realm.kinit(service_cs, None, ['-k', '-t', servicekeytab])
-output = realm.run_as_client(['./t_credstore', service_cs, '--cred_store',
-                              'ccache', storagecache, 'keytab', servicekeytab])
+output = realm.run(['./t_credstore', service_cs, '--cred_store',
+                    'ccache', storagecache, 'keytab', servicekeytab])
 if 'Cred Store Success' not in output:
     fail('Expected test to succeed')
 
 # Verify that we can't acquire acceptor creds without a keytab.
 os.remove(realm.keytab)
-output = realm.run_as_client(['./t_accname', 'p:abc'], expected_code=1)
+output = realm.run(['./t_accname', 'p:abc'], expected_code=1)
 if ('gss_acquire_cred: Keytab' not in output or
     'nonexistent or empty' not in output):
     fail('Expected error message not seen for nonexistent keytab')
@@ -105,13 +101,12 @@ realm.stop()
 
 # Re-run the last acceptor name test with ignore_acceptor_hostname set
 # and the principal for the mismatching hostname in the keytab.
-ignore_conf = { 'all' : { 'libdefaults' : {
-            'ignore_acceptor_hostname' : 'true' } } }
+ignore_conf = {'libdefaults': {'ignore_acceptor_hostname': 'true'}}
 realm = K5Realm(krb5_conf=ignore_conf)
 realm.run_kadminl('addprinc -randkey host/-nomatch-')
 realm.run_kadminl('xst host/-nomatch-')
-output = realm.run_as_client(['./t_accname', 'p:host/-nomatch-',
-                              'h:host@%s' % socket.gethostname()])
+output = realm.run(['./t_accname', 'p:host/-nomatch-',
+                    'h:host@%s' % socket.gethostname()])
 if 'host/-nomatch-' not in output:
     fail('Expected host/-nomatch- in t_accname output')
 
@@ -122,31 +117,31 @@ realm.stop()
 realm = K5Realm()
 
 # Test deferred resolution of the default ccache for initiator creds.
-output = realm.run_as_client(['./t_inq_cred'])
+output = realm.run(['./t_inq_cred'])
 if realm.user_princ not in output:
     fail('Expected %s in t_inq_cred output' % realm.user_princ)
-output = realm.run_as_client(['./t_inq_cred', '-k'])
+output = realm.run(['./t_inq_cred', '-k'])
 if realm.user_princ not in output:
     fail('Expected %s in t_inq_cred output' % realm.user_princ)
-output = realm.run_as_client(['./t_inq_cred', '-s'])
+output = realm.run(['./t_inq_cred', '-s'])
 if realm.user_princ not in output:
     fail('Expected %s in t_inq_cred output' % realm.user_princ)
 
 # Test picking a name from the keytab for acceptor creds.
-output = realm.run_as_client(['./t_inq_cred', '-a'])
+output = realm.run(['./t_inq_cred', '-a'])
 if realm.host_princ not in output:
     fail('Expected %s in t_inq_cred output' % realm.host_princ)
-output = realm.run_as_client(['./t_inq_cred', '-k', '-a'])
+output = realm.run(['./t_inq_cred', '-k', '-a'])
 if realm.host_princ not in output:
     fail('Expected %s in t_inq_cred output' % realm.host_princ)
-output = realm.run_as_client(['./t_inq_cred', '-s', '-a'])
+output = realm.run(['./t_inq_cred', '-s', '-a'])
 if realm.host_princ not in output:
     fail('Expected %s in t_inq_cred output' % realm.host_princ)
 
 # Test client keytab initiation (non-deferred) with a specified name.
 realm.extract_keytab(realm.user_princ, realm.client_keytab)
 os.remove(realm.ccache)
-output = realm.run_as_client(['./t_inq_cred', '-k'])
+output = realm.run(['./t_inq_cred', '-k'])
 if realm.user_princ not in output:
     fail('Expected %s in t_inq_cred output' % realm.user_princ)
 
@@ -154,34 +149,34 @@ if realm.user_princ not in output:
 os.remove(realm.client_keytab)
 os.remove(realm.ccache)
 shutil.copyfile(realm.keytab, realm.client_keytab)
-output = realm.run_as_client(['./t_inq_cred', '-k', '-b'])
+output = realm.run(['./t_inq_cred', '-k', '-b'])
 if realm.host_princ not in output:
     fail('Expected %s in t_inq_cred output' % realm.host_princ)
 
 # Test gss_export_name behavior.
-out = realm.run_as_client(['./t_export_name', 'u:x'])
+out = realm.run(['./t_export_name', 'u:x'])
 if out != '0401000B06092A864886F7120102020000000D78404B5242544553542E434F4D\n':
     fail('Unexpected output from t_export_name (krb5 username)')
-output = realm.run_as_client(['./t_export_name', '-s', 'u:xyz'])
+output = realm.run(['./t_export_name', '-s', 'u:xyz'])
 if output != '0401000806062B06010505020000000378797A\n':
     fail('Unexpected output from t_export_name (SPNEGO username)')
-output = realm.run_as_client(['./t_export_name', 'p:a@b'])
+output = realm.run(['./t_export_name', 'p:a@b'])
 if output != '0401000B06092A864886F71201020200000003614062\n':
     fail('Unexpected output from t_export_name (krb5 principal)')
-output = realm.run_as_client(['./t_export_name', '-s', 'p:a@b'])
+output = realm.run(['./t_export_name', '-s', 'p:a@b'])
 if output != '0401000806062B060105050200000003614062\n':
     fail('Unexpected output from t_export_name (SPNEGO krb5 principal)')
 
 # Test gss_inquire_mechs_for_name behavior.
 krb5_mech = '{ 1 2 840 113554 1 2 2 }'
 spnego_mech = '{ 1 3 6 1 5 5 2 }'
-out = realm.run_as_client(['./t_inq_mechs_name', 'p:a@b'])
+out = realm.run(['./t_inq_mechs_name', 'p:a@b'])
 if krb5_mech not in out:
     fail('t_inq_mechs_name (principal)')
-out = realm.run_as_client(['./t_inq_mechs_name', 'u:x'])
+out = realm.run(['./t_inq_mechs_name', 'u:x'])
 if krb5_mech not in out or spnego_mech not in out:
     fail('t_inq_mecs_name (user)')
-out = realm.run_as_client(['./t_inq_mechs_name', 'h:host'])
+out = realm.run(['./t_inq_mechs_name', 'h:host'])
 if krb5_mech not in out or spnego_mech not in out:
     fail('t_inq_mecs_name (hostbased)')
 
diff --git a/src/tests/gssapi/t_s4u.py b/src/tests/gssapi/t_s4u.py
index cd6759101..67dc81034 100644
--- a/src/tests/gssapi/t_s4u.py
+++ b/src/tests/gssapi/t_s4u.py
@@ -24,17 +24,17 @@ realm.kinit(service1, None, ['-f', '-k'])
 # at the S4U2Proxy step since the DB2 back end currently has no
 # support for allowing it.
 realm.kinit(realm.user_princ, password('user'), ['-f', '-c', usercache])
-output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache,
-                              '-', pservice1, pservice2], expected_code=1)
+output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, '-',
+                    pservice1, pservice2], expected_code=1)
 if ('auth1: ' + realm.user_princ not in output or
     'NOT_ALLOWED_TO_DELEGATE' not in output):
     fail('krb5 -> s4u2proxy')
 
 # Again with SPNEGO.  Bug #7045 prevents us from checking the error
 # message, but we can at least exercise the code.
-output = realm.run_as_server(['./t_s4u2proxy_krb5', '--spnego', usercache,
-                              storagecache, '-', pservice1, pservice2],
-                             expected_code=1)
+output = realm.run(['./t_s4u2proxy_krb5', '--spnego', usercache, storagecache,
+                    '-', pservice1, pservice2],
+                   expected_code=1)
 if ('auth1: ' + realm.user_princ not in output):
     fail('krb5 -> s4u2proxy (SPNEGO)')
 
@@ -42,18 +42,18 @@ if ('auth1: ' + realm.user_princ not in output):
 # result in no delegated credential being created by
 # accept_sec_context.
 realm.kinit(realm.user_princ, password('user'), ['-c', usercache])
-output = realm.run_as_server(['./t_s4u2proxy_krb5', usercache, storagecache,
-                              pservice1, pservice1, pservice2])
+output = realm.run(['./t_s4u2proxy_krb5', usercache, storagecache, pservice1,
+                    pservice1, pservice2])
 if 'no credential delegated' not in output:
     fail('krb5 -> no delegated cred')
 
 # Try S4U2Self.  Ask for an S4U2Proxy step; this won't happen because
 # service/1 isn't allowed to get a forwardable S4U2Self ticket.
-output = realm.run_as_server(['./t_s4u', puser, pservice2])
+output = realm.run(['./t_s4u', puser, pservice2])
 if ('Warning: no delegated cred handle' not in output or
     'Source name:\t' + realm.user_princ not in output):
     fail('s4u2self')
-output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2])
+output = realm.run(['./t_s4u', '--spnego', puser, pservice2])
 if ('Warning: no delegated cred handle' not in output or
     'Source name:\t' + realm.user_princ not in output):
     fail('s4u2self (SPNEGO)')
@@ -61,7 +61,7 @@ if ('Warning: no delegated cred handle' not in output or
 # Correct that problem and try again.  As above, the S4U2Proxy step
 # won't actually succeed since we don't support that in DB2.
 realm.run_kadminl('modprinc +ok_to_auth_as_delegate ' + service1)
-output = realm.run_as_server(['./t_s4u', puser, pservice2], expected_code=1)
+output = realm.run(['./t_s4u', puser, pservice2], expected_code=1)
 if 'NOT_ALLOWED_TO_DELEGATE' not in output:
     fail('s4u2self')
 
@@ -70,8 +70,7 @@ if 'NOT_ALLOWED_TO_DELEGATE' not in output:
 # a krb5 cred, not a SPNEGO cred, and t_s4u uses the delegated cred
 # directly rather than saving and reacquiring it) so bug #7045 does
 # not apply and we can verify the error message.
-output = realm.run_as_server(['./t_s4u', '--spnego', puser, pservice2],
-                             expected_code=1)
+output = realm.run(['./t_s4u', '--spnego', puser, pservice2], expected_code=1)
 if 'NOT_ALLOWED_TO_DELEGATE' not in output:
     fail('s4u2self')