s4:dsdb/acl_read: enable acl checking on search by default (bug #8620)

[metze/samba/wip.git] / selftest / target / Samba4.pm
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm

index b94abdb4750eb50cfc5ac82cad0ac8280601e064..5988b8364253ae7c29cef143d20da8ad1f8063a7 100644 (file)
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -147,7 +147,7 @@ sub wait_for_start($$)
  
         # This will return quickly when things are up, but be slow if we
         # need to wait for (eg) SSL init
-       my $nmblookup =  Samba::bindir_path($self, "nmblookup");
+       my $nmblookup =  Samba::bindir_path($self, "nmblookup4");
         system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{SERVER}");
         system("$nmblookup $testenv_vars->{CONFIGURATION} -U $testenv_vars->{SERVER_IP} $testenv_vars->{SERVER}");
         system("$nmblookup $testenv_vars->{CONFIGURATION} $testenv_vars->{NETBIOSNAME}");
@@ -420,7 +420,7 @@ Wfz/8alZ5aMezCQzXJyIaJsCLeKABosSwHcpAFmxlQ==
  EOF
  }
  
-sub provision_raw_prepare($$$$$$$$$)
+sub provision_raw_prepare($$$$$$$$$$)
  {
         my ($self, $prefix, $server_role, $hostname,
             $domain, $realm, $functional_level,
@@ -456,12 +456,14 @@ sub provision_raw_prepare($$$$$$$$$)
         $ctx->{password} = $password;
         $ctx->{kdc_ipv4} = $kdc_ipv4;
  
+#
+# Set smbd log level here.
+#
         $ctx->{server_loglevel} =$ENV{SERVER_LOG_LEVEL} || 1;
         $ctx->{username} = "Administrator";
         $ctx->{domain} = $domain;
         $ctx->{realm} = uc($realm);
         $ctx->{dnsname} = lc($realm);
-       $ctx->{sid_generator} = "internal";
  
         $ctx->{functional_level} = $functional_level;
  
@@ -479,6 +481,7 @@ sub provision_raw_prepare($$$$$$$$$)
         $ctx->{privatedir} = "$prefix_abs/private";
         $ctx->{ncalrpcdir} = "$prefix_abs/ncalrpc";
         $ctx->{lockdir} = "$prefix_abs/lockdir";
+       $ctx->{logdir} = "$prefix_abs/logs";
         $ctx->{statedir} = "$prefix_abs/statedir";
         $ctx->{cachedir} = "$prefix_abs/cachedir";
         $ctx->{winbindd_socket_dir} = "$prefix_abs/winbindd_socket";
@@ -496,6 +499,7 @@ sub provision_raw_prepare($$$$$$$$$)
         push(@{$ctx->{directories}}, $ctx->{etcdir});
         push(@{$ctx->{directories}}, $ctx->{piddir});
         push(@{$ctx->{directories}}, $ctx->{lockdir});
+       push(@{$ctx->{directories}}, $ctx->{logdir});
         push(@{$ctx->{directories}}, $ctx->{statedir});
         push(@{$ctx->{directories}}, $ctx->{cachedir});
  
@@ -521,7 +525,9 @@ sub provision_raw_prepare($$$$$$$$$)
         if (defined($ENV{PYTHON})) {
                 push (@provision_options, $ENV{PYTHON});
         }
-       push (@provision_options, "$self->{srcdir}/source4/setup/provision");
+       push (@provision_options, Samba::bindir_path($self, "samba-tool"));
+       push (@provision_options, "domain");
+       push (@provision_options, "provision");
         push (@provision_options, "--configfile=$ctx->{smb_conf}");
         push (@provision_options, "--host-name=$ctx->{hostname}");
         push (@provision_options, "--host-ip=$ctx->{ipv4}");
@@ -534,7 +540,6 @@ sub provision_raw_prepare($$$$$$$$$)
         push (@provision_options, "--root=$ctx->{unix_name}");
         push (@provision_options, "--server-role=\"$ctx->{server_role}\"");
         push (@provision_options, "--function-level=\"$ctx->{functional_level}\"");
-       push (@provision_options, "--dns-backend=BIND9_DLZ");
  
         @{$ctx->{provision_options}} = @provision_options;
  
@@ -554,11 +559,8 @@ sub provision_raw_step1($$)
                 warn("can't open $ctx->{smb_conf}$?");
                 return undef;
         }
-       my $acl = "false";
-       $acl = "true" if (defined $ENV{WITH_ACL});
         print CONFFILE "
  [global]
-       acl:search = $acl
         netbios name = $ctx->{netbiosname}
         posix:eadb = $ctx->{statedir}/eadb.tdb
         workgroup = $ctx->{domain}
@@ -579,32 +581,29 @@ sub provision_raw_step1($$)
         panic action = $RealBin/gdb_backtrace \%d
         wins support = yes
         server role = $ctx->{server_role}
-       server services = +echo +dns
+       server services = +echo +smb -s3fs
+        dcerpc endpoint servers = +winreg +srvsvc
         notify:inotify = false
         ldb:nosync = true
  #We don't want to pass our self-tests if the PAC code is wrong
         gensec:require_pac = true
+       log file = $ctx->{logdir}/log.\%m
         log level = $ctx->{server_loglevel}
         lanman auth = Yes
         rndc command = true
-        dns update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate --all-interfaces --use-file=$ctx->{dns_host_file}
-        spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate
-        resolv:host file = $ctx->{dns_host_file}
+       dns update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_dnsupdate --all-interfaces --use-file=$ctx->{dns_host_file} -s $ctx->{smb_conf}
+       spn update command = $ENV{SRCDIR_ABS}/source4/scripting/bin/samba_spnupdate -s $ctx->{smb_conf}
+       resolv:host file = $ctx->{dns_host_file}
         dreplsrv:periodic_startup_interval = 0
         dsdb:schema update allowed = yes
  
-        passdb backend = samba4
+        vfs objects = dfs_samba4 acl_xattr fake_acls xattr_tdb streams_depot
  
-        # remove this again, when our smb2 client library
-        # supports signin on compound related requests
-        server signing = on
+       # remove this again, when our smb2 client library
+       # supports signin on compound related requests
+       server signing = on
  ";
  
-       if (defined($ctx->{sid_generator}) && $ctx->{sid_generator} ne "internal") {
-               print CONFFILE "
-       sid generator = $ctx->{sid_generator}";
-       }
-
         print CONFFILE "
  
         # Begin extra options
@@ -625,8 +624,8 @@ sub provision_raw_step1($$)
         open(PWD, ">$ctx->{nsswrap_passwd}");
         print PWD "
  root:x:0:0:root gecos:$ctx->{prefix_abs}:/bin/false
-$ctx->{unix_name}:x:$ctx->{unix_uid}:@{$ctx->{unix_gids}}[0]:$ctx->{unix_name} gecos:$ctx->{prefix_abs}:/bin/false
  nobody:x:65534:65533:nobody gecos:$ctx->{prefix_abs}:/bin/false
+pdbtest:x:65533:65533:pdbtest gecos:$ctx->{prefix_abs}:/bin/false
  ";
         close(PWD);
  
@@ -671,6 +670,7 @@ nogroup:x:65534:nobody
                 LOCKDIR => $ctx->{lockdir},
                 STATEDIR => $ctx->{statedir},
                 CACHEDIR => $ctx->{cachedir},
+               PRIVATEDIR => $ctx->{privatedir},
                 SERVERCONFFILE => $ctx->{smb_conf},
                 CONFIGURATION => $configuration,
                 SOCKET_WRAPPER_DEFAULT_IFACE => $ctx->{swiface},
@@ -679,7 +679,7 @@ nogroup:x:65534:nobody
                 SAMBA_TEST_FIFO => "$ctx->{prefix}/samba_test.fifo",
                 SAMBA_TEST_LOG => "$ctx->{prefix}/samba_test.log",
                 SAMBA_TEST_LOG_POS => 0,
-               NSS_WRAPPER_WINBIND_SO_PATH => Samba::bindir_path($self, "default/nsswitch/libnss-winbind.so"),
+               NSS_WRAPPER_WINBIND_SO_PATH => Samba::nss_wrapper_winbind_so_path($self),
                  LOCAL_PATH => $ctx->{share}
         };
  
@@ -702,21 +702,34 @@ sub provision_raw_step2($$$)
         return $ret;
  }
  
-sub provision($$$$$$$$)
+sub provision($$$$$$$$$)
  {
         my ($self, $prefix, $server_role, $hostname,
             $domain, $realm, $functional_level,
-           $password, $kdc_ipv4, $extra_smbconf_options, $extra_smbconf_shares) = @_;
+           $password, $kdc_ipv4, $extra_smbconf_options, $extra_smbconf_shares,
+           $extra_provision_options) = @_;
  
         my $ctx = $self->provision_raw_prepare($prefix, $server_role,
                                                $hostname,
                                                $domain, $realm, $functional_level,
                                                $password, $kdc_ipv4);
  
+       if (defined($extra_provision_options)) {
+               push (@{$ctx->{provision_options}}, @{$extra_provision_options});
+       } else {
+               push (@{$ctx->{provision_options}}, "--use-ntvfs");
+       }
+
         $ctx->{share} = "$ctx->{prefix_abs}/share";
         push(@{$ctx->{directories}}, "$ctx->{share}");
         push(@{$ctx->{directories}}, "$ctx->{share}/test1");
         push(@{$ctx->{directories}}, "$ctx->{share}/test2");
+
+       # precreate directories for printer drivers
+       push(@{$ctx->{directories}}, "$ctx->{share}/W32X86");
+       push(@{$ctx->{directories}}, "$ctx->{share}/x64");
+       push(@{$ctx->{directories}}, "$ctx->{share}/WIN40");
+
         my $msdfs = "no";
         $msdfs = "yes" if ($server_role eq "domain controller");
         $ctx->{smb_conf_extra_options} = "
@@ -744,6 +757,14 @@ sub provision($$$$$$$$)
         create mask = 777
         force create mode = 777
  
+[posix_share]
+       path = $ctx->{share}
+       read only = no
+       create mask = 0777
+       force create mode = 0
+       directory mask = 0777
+       force directory mode = 0
+
  [test1]
         path = $ctx->{share}/test1
         read only = no
@@ -775,7 +796,7 @@ sub provision($$$$$$$$)
  
  [sysvol]
         path = $ctx->{statedir}/sysvol
-       read only = yes
+       read only = no
  
  [netlogon]
         path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
@@ -796,9 +817,6 @@ $extra_smbconf_shares
                 $ldap_uri =~ s|/|%2F|g;
                 $ldap_uri = "ldapi://$ldap_uri";
                 $ctx->{ldap_uri} = $ldap_uri;
-               if ($self->{ldap} eq "fedora-ds") {
-                       $ctx->{sid_generator} = "backend";
-               }
  
                 $ctx->{ldap_instance} = lc($ctx->{netbiosname});
         }
@@ -840,7 +858,7 @@ sub provision_member($$$)
                                    "2008",
                                    "locMEMpass3",
                                    $dcvars->{SERVER_IP},
-                                  "", "");
+                                  "", "", undef);
         unless ($ret) {
                 return undef;
         }
@@ -905,7 +923,7 @@ sub provision_rpc_proxy($$$)
                                    "2008",
                                    "locRPCproxypass4",
                                    $dcvars->{SERVER_IP},
-                                  $extra_smbconf_options, "");
+                                  $extra_smbconf_options, "", undef);
  
         unless ($ret) {
                 return undef;
@@ -965,6 +983,80 @@ sub provision_rpc_proxy($$$)
         return $ret;
  }
  
+sub provision_promoted_vampire_dc($$$)
+{
+       my ($self, $prefix, $dcvars) = @_;
+       print "PROVISIONING VAMPIRE DC...";
+
+       # We do this so that we don't run the provision.  That's the job of 'net vampire'.
+       my $ctx = $self->provision_raw_prepare($prefix, "domain controller",
+                                              "promotedvdc",
+                                              "SAMBADOMAIN",
+                                              "samba.example.com",
+                                              "2008",
+                                              $dcvars->{PASSWORD},
+                                              $dcvars->{SERVER_IP});
+
+       push (@{$ctx->{provision_options}}, "--use-ntvfs");
+
+       $ctx->{smb_conf_extra_options} = "
+       max xmit = 32K
+       server max protocol = SMB2
+
+[sysvol]
+       path = $ctx->{statedir}/sysvol
+       read only = yes
+
+[netlogon]
+       path = $ctx->{statedir}/sysvol/$ctx->{dnsname}/scripts
+       read only = no
+
+";
+
+       my $ret = $self->provision_raw_step1($ctx);
+       unless ($ret) {
+               return undef;
+       }
+
+       my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+       my $cmd = "";
+       $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+       $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+       $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} MEMBER --realm=$dcvars->{REALM}";
+       $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+       $cmd .= " --machinepass=machine$ret->{password}";
+
+       unless (system($cmd) == 0) {
+               warn("Join failed\n$cmd");
+               return undef;
+       }
+
+       my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+       my $cmd = "";
+       $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$ret->{SOCKET_WRAPPER_DEFAULT_IFACE}\" ";
+       $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
+       $cmd .= "$samba_tool domain dcpromo $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
+       $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
+       $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
+
+       unless (system($cmd) == 0) {
+               warn("Join failed\n$cmd");
+               return undef;
+       }
+
+       $ret->{PROMOTED_VAMPIRE_DC_SERVER} = $ret->{SERVER};
+       $ret->{PROMOTED_VAMPIRE_DC_SERVER_IP} = $ret->{SERVER_IP};
+       $ret->{PROMOTED_VAMPIRE_DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
+
+       $ret->{DC_SERVER} = $dcvars->{DC_SERVER};
+       $ret->{DC_SERVER_IP} = $dcvars->{DC_SERVER_IP};
+       $ret->{DC_NETBIOSNAME} = $dcvars->{DC_NETBIOSNAME};
+       $ret->{DC_USERNAME} = $dcvars->{DC_USERNAME};
+       $ret->{DC_PASSWORD} = $dcvars->{DC_PASSWORD};
+
+       return $ret;
+}
+
  sub provision_vampire_dc($$$)
  {
         my ($self, $prefix, $dcvars) = @_;
@@ -979,6 +1071,8 @@ sub provision_vampire_dc($$$)
                                                $dcvars->{PASSWORD},
                                                $dcvars->{SERVER_IP});
  
+       push (@{$ctx->{provision_options}}, "--use-ntvfs");
+
         $ctx->{smb_conf_extra_options} = "
         max xmit = 32K
         server max protocol = SMB2
@@ -1004,7 +1098,7 @@ sub provision_vampire_dc($$$)
         $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
         $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} DC --realm=$dcvars->{REALM}";
         $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD} --domain-critical-only";
-       $cmd .= " --machinepass=machine$ret->{password}";
+       $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
  
         unless (system($cmd) == 0) {
                 warn("Join failed\n$cmd");
@@ -1038,6 +1132,8 @@ sub provision_subdom_dc($$$)
                                                $dcvars->{PASSWORD},
                                                undef);
  
+       push (@{$ctx->{provision_options}}, "--use-ntvfs");
+
         $ctx->{smb_conf_extra_options} = "
         max xmit = 32K
         server max protocol = SMB2
@@ -1067,7 +1163,7 @@ sub provision_subdom_dc($$$)
         $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
         $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $ctx->{realm} subdomain ";
         $cmd .= "--parent-domain=$dcvars->{REALM} -U$dcvars->{DC_USERNAME}\@$dcvars->{REALM}\%$dcvars->{DC_PASSWORD}";
-       $cmd .= " --machinepass=machine$ret->{password}";
+       $cmd .= " --machinepass=machine$ret->{password} --use-ntvfs";
  
         unless (system($cmd) == 0) {
                 warn("Join failed\n$cmd");
@@ -1092,8 +1188,7 @@ sub provision_dc($$)
         my ($self, $prefix) = @_;
  
         print "PROVISIONING DC...";
-        my $extra_conf_options = "netbios aliases = localDC1-a
-allow dns updates = True";
+        my $extra_conf_options = "netbios aliases = localDC1-a";
         my $ret = $self->provision($prefix,
                                    "domain controller",
                                    "localdc",
@@ -1101,7 +1196,7 @@ allow dns updates = True";
                                    "samba.example.com",
                                    "2008",
                                    "locDCpass1",
-                                  undef, $extra_conf_options, "");
+                                  undef, $extra_conf_options, "", undef);
  
         return undef unless(defined $ret);
         unless($self->add_wins_config("$prefix/private")) {
@@ -1130,7 +1225,7 @@ sub provision_fl2000dc($$)
                                    "samba2000.example.com",
                                    "2000",
                                    "locDCpass5",
-                                  undef, "");
+                                  undef, "", "", undef);
  
         unless($self->add_wins_config("$prefix/private")) {
                 warn("Unable to add wins configuration");
@@ -1152,7 +1247,7 @@ sub provision_fl2003dc($$)
                                    "samba2003.example.com",
                                    "2003",
                                    "locDCpass6",
-                                  undef, "", "");
+                                  undef, "allow dns updates = nonsecure and secure", "", undef);
  
         unless($self->add_wins_config("$prefix/private")) {
                 warn("Unable to add wins configuration");
@@ -1174,7 +1269,7 @@ sub provision_fl2008r2dc($$)
                                    "samba2008R2.example.com",
                                    "2008_R2",
                                    "locDCpass7",
-                                  undef, "", "");
+                                  undef, "", "", undef);
  
         unless ($self->add_wins_config("$prefix/private")) {
                 warn("Unable to add wins configuration");
@@ -1202,6 +1297,8 @@ sub provision_rodc($$$)
                 return undef;
         }
  
+       push (@{$ctx->{provision_options}}, "--use-ntvfs");
+
         $ctx->{share} = "$ctx->{prefix_abs}/share";
         push(@{$ctx->{directories}}, "$ctx->{share}");
  
@@ -1237,7 +1334,7 @@ sub provision_rodc($$$)
         $cmd .= "KRB5_CONFIG=\"$ret->{KRB5_CONFIG}\" ";
         $cmd .= "$samba_tool domain join $ret->{CONFIGURATION} $dcvars->{REALM} RODC";
         $cmd .= " -U$dcvars->{DC_USERNAME}\%$dcvars->{DC_PASSWORD}";
-       $cmd .= " --server=$dcvars->{DC_SERVER}";
+       $cmd .= " --server=$dcvars->{DC_SERVER} --use-ntvfs";
  
         unless (system($cmd) == 0) {
                 warn("RODC join failed\n$cmd");
@@ -1271,6 +1368,7 @@ sub provision_plugin_s4_dc($$)
  
         my $bindir_abs = abs_path($self->{bindir});
         my $lockdir="$prefix_abs/lockdir";
+        my $conffile="$prefix_abs/etc/smb.conf";
  
         my $extra_smbconf_options = "
          server services = -smb +s3fs
@@ -1283,25 +1381,23 @@ sub provision_plugin_s4_dc($$)
         printing = bsd
         printcap name = /dev/null
  
-       max protocol = SMB2
+       max protocol = SMB3
         read only = no
         server signing = auto
  
         smbd:sharedelay = 100000
         smbd:writetimeupdatedelay = 500000
-       map hidden = no
-       map system = no
-       map readonly = no
-       store dos attributes = yes
-       create mask = 755
+       create mask = 0777
+       directory mask = 0777
         dos filemode = yes
  
-        vfs objects = acl_xattr xattr_tdb streams_depot
-
          dcerpc endpoint servers = -winreg -srvsvc
  
         printcap name = /dev/null
  
+       addprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -a -s $conffile --
+       deleteprinter command = $ENV{SRCDIR_ABS}/source3/script/tests/printing/modprinter.pl -d -s $conffile --
+
         printing = vlp
         print command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb print %p %s
         lpq command = $bindir_abs/vlp tdbfile=$lockdir/vlp.tdb lpq %p
@@ -1316,6 +1412,10 @@ sub provision_plugin_s4_dc($$)
  
         my $extra_smbconf_shares = "
  
+[tmpenc]
+       copy = tmp
+       smb encrypt = required
+
  [tmpcase]
         copy = tmp
         case sensitive = yes
@@ -1327,6 +1427,26 @@ sub provision_plugin_s4_dc($$)
  [hideunread]
         copy = tmp
         hide unreadable = yes
+
+[durable]
+       copy = tmp
+       kernel share modes = no
+       kernel oplocks = no
+       posix locking = no
+
+[print\$]
+       copy = tmp
+
+[print1]
+       copy = tmp
+       printable = yes
+
+[print2]
+       copy = print1
+[print3]
+       copy = print1
+[lp]
+       copy = print1
  ";
  
         print "PROVISIONING PLUGIN S4 DC...";
@@ -1338,7 +1458,7 @@ sub provision_plugin_s4_dc($$)
                                    "2008",
                                    "locDCpass1",
                                    undef, $extra_smbconf_options,
-                                   $extra_smbconf_shares);
+                                   $extra_smbconf_shares, undef);
  
         return undef unless(defined $ret);
         unless($self->add_wins_config("$prefix/private")) {
@@ -1360,6 +1480,8 @@ sub provision_chgdcpass($$)
         my ($self, $prefix) = @_;
  
         print "PROVISIONING CHGDCPASS...";
+       my $extra_provision_options = undef;
+       push (@{$extra_provision_options}, "--dns-backend=BIND9_DLZ");
         my $ret = $self->provision($prefix,
                                    "domain controller",
                                    "chgdcpass",
@@ -1367,13 +1489,22 @@ sub provision_chgdcpass($$)
                                    "chgdcpassword.samba.example.com",
                                    "2008",
                                    "chgDCpass1",
-                                  undef);
+                                  undef, "server services = -dns", "",
+                                  $extra_provision_options);
  
         return undef unless(defined $ret);
         unless($self->add_wins_config("$prefix/private")) {
                 warn("Unable to add wins configuration");
                 return undef;
         }
+       
+       # Remove secrets.tdb from this environment to test that we still start up
+       # on systems without the new matching secrets.tdb records
+       unless (unlink("$ret->{PRIVATEDIR}/secrets.tdb")) {
+               warn("Unable to remove $ret->{PRIVATEDIR}/secrets.tdb added during provision");
+               return undef;
+       }
+           
         $ret->{DC_SERVER} = $ret->{SERVER};
         $ret->{DC_SERVER_IP} = $ret->{SERVER_IP};
         $ret->{DC_NETBIOSNAME} = $ret->{NETBIOSNAME};
@@ -1396,7 +1527,7 @@ sub teardown_env($$)
         my $childpid;
  
         # This should give it time to write out the gcov data
-       until ($count > 20) {
+       until ($count > 30) {
             if (Samba::cleanup_child($pid, "samba") == -1) {
                 last;
             }
@@ -1489,6 +1620,11 @@ sub setup_env($$$)
                         $self->setup_dc("$path/dc");
                 }
                 return $self->setup_vampire_dc("$path/vampire_dc", $self->{vars}->{dc});
+       } elsif ($envname eq "promoted_vampire_dc") {
+               if (not defined($self->{vars}->{dc})) {
+                       $self->setup_dc("$path/dc");
+               }
+               return $self->setup_promoted_vampire_dc("$path/promoted_vampire_dc", $self->{vars}->{dc});
         } elsif ($envname eq "subdom_dc") {
                 if (not defined($self->{vars}->{dc})) {
                         $self->setup_dc("$path/dc");
@@ -1662,7 +1798,59 @@ sub setup_vampire_dc($$$)
                 my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
                 $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
                 $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
-               $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{VAMPIRE_DC_SERVER}";
+               $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
+               $cmd .= " $dc_vars->{CONFIGURATION}";
+               $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+               # replicate Configuration NC
+               my $cmd_repl = "$cmd \"CN=Configuration,$base_dn\"";
+               unless(system($cmd_repl) == 0) {
+                       warn("Failed to replicate\n$cmd_repl");
+                       return undef;
+               }
+               # replicate Default NC
+               $cmd_repl = "$cmd \"$base_dn\"";
+               unless(system($cmd_repl) == 0) {
+                       warn("Failed to replicate\n$cmd_repl");
+                       return undef;
+               }
+       }
+
+       return $env;
+}
+
+sub setup_promoted_vampire_dc($$$)
+{
+       my ($self, $path, $dc_vars) = @_;
+
+       my $env = $self->provision_promoted_vampire_dc($path, $dc_vars);
+
+       if (defined $env) {
+               $self->check_or_start($env, "single");
+
+               $self->wait_for_start($env);
+
+               $self->{vars}->{promoted_vampire_dc} = $env;
+
+               # force replicated DC to update repsTo/repsFrom
+               # for vampired partitions
+               my $samba_tool =  Samba::bindir_path($self, "samba-tool");
+               my $cmd = "";
+               $cmd .= "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+               $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+               $cmd .= " $samba_tool drs kcc $env->{DC_SERVER}";
+               $cmd .= " $env->{CONFIGURATION}";
+               $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
+               unless (system($cmd) == 0) {
+                       warn("Failed to exec kcc\n$cmd");
+                       return undef;
+               }
+
+               # as 'vampired' dc may add data in its local replica
+               # we need to synchronize data between DCs
+               my $base_dn = "DC=".join(",DC=", split(/\./, $dc_vars->{REALM}));
+               $cmd = "SOCKET_WRAPPER_DEFAULT_IFACE=\"$env->{SOCKET_WRAPPER_DEFAULT_IFACE}\"";
+               $cmd .= " KRB5_CONFIG=\"$env->{KRB5_CONFIG}\"";
+               $cmd .= " $samba_tool drs replicate $env->{DC_SERVER} $env->{SERVER}";
                 $cmd .= " $dc_vars->{CONFIGURATION}";
                 $cmd .= " -U$dc_vars->{DC_USERNAME}\%$dc_vars->{DC_PASSWORD}";
                 # replicate Configuration NC