this commit includes all the changes on the OV_9510_INTEGRATION and

OV_MERGE branches. This includes, but is not limited to, the new openvision admin system, and major changes to gssapi to add functionality, and bring the implementation in line with rfc1964. before committing, the code was built and tested for netbsd and solaris. git-svn-id: svn://anonsvn.mit.edu/krb5/trunk@8774 dc483132-0cff-0310-8789-dd5450dbe970
author: Marc Horowitz <marc@mit.edu> 1996-07-22 20:49:46 +0000
committer: Marc Horowitz <marc@mit.edu> 1996-07-22 20:49:46 +0000
commit: edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1 (patch)
tree: 6c2974a97b448c040fa4a31708ec5e02f187526c /src/lib/kadm5/unit-test/api.2
parent: 013bb1391582ed9e653ae706e398ddb8d08cfcc9 (diff)
download: krb5-edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1.zip
krb5-edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1.tar.gz
krb5-edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1.tar.bz2
16 files changed, 8385 insertions, 0 deletions
diff --git a/src/lib/kadm5/unit-test/api.2/chpass-principal-v2.exp b/src/lib/kadm5/unit-test/api.2/chpass-principal-v2.exp
new file mode 100644
index 0000000..88aed8b
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/chpass-principal-v2.exp
@@ -0,0 +1,68 @@
+source lib.t
+api_exit
+api_start
+
+test "chpass-principal 200"
+proc test200 {} {
+    global test prompt
+
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal "$test/a"]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+
+    # I'd like to specify a long list of keysalt tuples and make sure
+    # that chpass does the right thing, but we can only use those
+    # enctypes that krbtgt has a key for: des-cbc-crc:normal and
+    # des-cbc-crc:v4, according to the prototype kdc.conf.
+    if {! [cmd [format {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_chpass_principal $server_handle "%s/a" newpassword
+    } $test]]} {
+	error "$test: unexpected failure in chpass_principal"
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle  "%s/a" p \
+		{KADM5_PRINCIPAL_NORMAL_MASK KADM5_KEY_DATA}
+    } $test]]} {
+	error "$test: unexpected failure in get_principal"
+    }
+    send "lindex \$p 16\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" { set num_keys $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting num_keys"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting num_keys"
+	    return
+	}
+    }
+
+    # XXX Perhaps I should actually check the key type returned.
+    if {$num_keys == 2} {
+	pass "$test"
+    } else {
+	fail "$test: $num_keys keys, should be 2"
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test200
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/chpass-principal.exp b/src/lib/kadm5/unit-test/api.2/chpass-principal.exp
new file mode 100644
index 0000000..3efdfa9
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/chpass-principal.exp
@@ -0,0 +1,176 @@
+source lib.t
+api_exit
+api_start
+
+test "chpass-principal 180"
+proc test180 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal_pol "$test/a" once-a-min]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_chpass_principal $server_handle "%s/a" FoobarBax
+    } $test]
+
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } { test180 }
+
+test "chpass-principal 180.5"
+proc test1805 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal_pol "$test/a" once-a-min]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+    
+    if {! [cmd {
+	kadm5_init admin/modify admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_chpass_principal $server_handle "%s/a" FoobarBax
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } { test1805 }
+
+#
+# admin with changepw service tickets try to change other principals
+# password, failes with AUTH error
+test "chpass-principal 180.625"
+proc test180625 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_chpass_principal $server_handle "%s/a" password
+    } $test] "AUTH"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test180625 }
+
+test "chpass-principal 180.75"
+proc test18075 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal_pol "$test/a" once-a-min]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_chpass_principal $server_handle "%s/a" Foobar
+    } $test] "AUTH_CHANGEPW"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } { test18075 }
+
+test "chpass-principal 182"
+proc test182 {} {
+    global test
+
+    if { ! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {
+	kadm5_chpass_principal $server_handle kadmin/history password
+    } "PROTECT"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test182
+
+test "chpass-principal 183"
+proc test183 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if { ! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_chpass_principal null "%s/a" password
+    } $test] "BAD_SERVER_HANDLE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test183
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/crte-policy.exp b/src/lib/kadm5/unit-test/api.2/crte-policy.exp
new file mode 100644
index 0000000..b0ea046
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/crte-policy.exp
@@ -0,0 +1,991 @@
+source lib.t
+api_exit
+api_start
+
+# Description: (1) Fails for mask with undefined bit set.
+# 01/24/94: pshuang: untried.
+test "create-policy 1"
+proc test1 {} {
+    global test
+    if {! (( ! [policy_exists "$test/a"]) ||
+           [delete_policy "$test/a"])} {
+            error_and_restart "$test: couldn't delete policy \"$test/a\""
+            return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		0xF01000
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+        error "$test: unexpected failure in destroy"
+        return
+    }
+}
+test1
+
+# Description: (2) Fails if caller connected with CHANGEPW_SERVICE.
+test "create-policy 2"
+proc test2 {} {
+    global test
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY}
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy";
+	return
+    }
+}
+if {$RPC} { test2 }
+
+# Description: (3) Fails for mask without POLICY bit set.
+# 01/24/94: pshuang: untried.
+test "create-policy 3"
+proc test3 {} {
+    global test
+    if {! (( ! [policy_exists "$test/a"]) ||
+           [delete_policy "$test/a"])} {
+            error_and_restart "$test: couldn't delete policy \"$test/a\""
+            return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		0x000000
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+        error "$test: unexpected failure in destroy"
+        return
+    }
+}
+test3
+
+# Description: (4) Fails for mask with REF_COUNT bit set.
+test "create-policy 4"
+proc test4 {} {
+    global test
+    
+    if {! (( ! [policy_exists "$test/a"]) ||
+           [delete_policy "$test/a"])} {
+            error_and_restart "$test: couldn't delete policy \"$test/a\""
+            return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY KADM5_REF_COUNT}
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+        error "$test: unexpected failure in destroy"
+        return
+    }
+}
+test4
+
+# Description: (5) Fails for invalid policy name.
+# 01/24/94: pshuang: untried.
+test "create-policy 5"
+proc test5 {} {
+    global test
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/"] \
+		{KADM5_POLICY}
+    } $test] "BAD_POLICY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+        error "$test: unexpected failure in destroy"
+        return
+    }
+}
+test5
+
+# Description: (6) Fails for existing policy name.
+test "create-policy 6"
+proc test6 {} {
+    global test
+#    set prms_id 777
+#    setup_xfail {*-*-*} $prms_id
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {
+	kadm5_create_policy $server_handle [simple_policy test-pol] \
+		{KADM5_POLICY}
+    } "DUP"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test6
+
+# Description: (7) Fails for null policy name.
+# 01/24/94: pshuang: untried.
+test "create-policy 7"
+proc test7 {} {
+    global test
+#    set prms_id 1977
+#    setup_xfail {*-*-*} $prms_id
+    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {
+	kadm5_create_policy $server_handle [simple_policy null] \
+		{KADM5_POLICY}
+    } "EINVAL"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+        error "$test: unexpected failure in destroy"
+        return
+    }
+}
+test7
+
+# Description: (8) Fails for empty-string policy name.
+test "create-policy 8"
+proc test8 {} {
+    global test
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {
+	kadm5_create_policy $server_handle [simple_policy ""] \
+		{KADM5_POLICY}
+    } "BAD_POLICY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test8
+
+# Description: (9) Accepts 0 for pw_min_life.
+test "create-policy 9"
+proc test9 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY KADM5_PW_MIN_LIFE}
+    } $test]]} {
+	fail "$test: create failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 1\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test9
+
+# Description: (10) Accepts non-zero for pw_min_life.
+test "create-policy 10"
+proc test10 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_create_policy $server_handle {"%s/a" 32 0 0 0 0 0 } \
+		{KADM5_POLICY KADM5_PW_MIN_LIFE}
+    } $test]]} {
+	fail "$test"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retreuve policy"
+	return
+    }
+    send "lindex \$policy 1\n"
+    expect {
+	-re "32\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test10
+
+# Description: (11) Accepts 0 for pw_max_life.
+test "create-policy 11"
+proc test11 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY KADM5_PW_MAX_LIFE}
+    } $test]]} {
+	fail "$test"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retreuve policy"
+	return
+    }
+    send "lindex \$policy 2\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test11
+
+# Description: (12) Accepts non-zero for pw_max_life.
+test "create-policy 12"
+proc test12 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_policy $server_handle {"%s/a" 0 32 0 0 0 0 } \
+		{KADM5_POLICY KADM5_PW_MAX_LIFE}
+    } $test]]} {
+	fail "$test"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retreuve policy"
+	return
+    }
+    send "lindex \$policy 2\n"
+    expect {
+	-re "32\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test12
+
+# Description: (13) Rejects 0 for pw_min_length.
+test "create-policy 13"
+proc test13 {} {
+    global test
+    global prompt
+
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY KADM5_PW_MIN_LENGTH}
+    } $test] "BAD_LENGTH"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test13
+
+# Description: (14) Accepts non-zero for pw_min_length.
+test "create-policy 14"
+proc test14 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_policy $server_handle {"%s/a" 0 0 8 0 0 0 } \
+		{KADM5_POLICY KADM5_PW_MIN_LENGTH}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retreuve policy"
+	return
+    }
+    send "lindex \$policy 3\n"
+    expect {
+	-re "8\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test14
+
+# Description: (15) Rejects 0 for pw_min_classes.
+test "create-policy 15"
+proc test15 {} {
+    global test
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY KADM5_PW_MIN_CLASSES}
+    } $test] "BAD_CLASS"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test15
+
+# Description: (16) Accepts 1 for pw_min_classes.
+test "create-policy 16"
+proc test16 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_policy $server_handle {"%s/a" 0 0 0 1 0 0 } \
+		{KADM5_POLICY KADM5_PW_MIN_CLASSES}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retreuve policy"
+	return
+    }
+    send "lindex \$policy 4\n"
+    expect {
+	-re "1\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test16
+
+# Description: (17) Accepts 4 for pw_min_classes.
+test "create-policy 17"
+proc test17 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_policy $server_handle {"%s/a" 0 0 0 5 0 0} \
+		{KADM5_POLICY KADM5_PW_MIN_CLASSES}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retreuve policy"
+	return
+    }
+    send "lindex \$policy 4\n"
+    expect {
+	-re "5\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test17
+
+# Description: (18) Rejects 5 for pw_min_classes.
+test "create-policy 18"
+proc test18 {} {
+    global test
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle {"%s/a" 0 0 0 6 0 0} \
+		{KADM5_POLICY KADM5_PW_MIN_CLASSES}
+    } $test] "BAD_CLASS"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test18
+
+# Description: (19) Rejects 0 for pw_history_num.
+test "create-policy 19"
+proc test19 {} {
+    global test
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY KADM5_PW_HISTORY_NUM}
+    } $test] "BAD_HISTORY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test19
+
+# Description: (20) Accepts 1 for pw_history_num.
+test "create-policy 20"
+proc test20 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd  [format {
+	kadm5_create_policy $server_handle {"%s/a" 0 0 0 0 1 0} \
+		{KADM5_POLICY KADM5_PW_HISTORY_NUM}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retreuve policy"
+	return
+    }
+    send "lindex \$policy 5\n"
+    expect {
+	-re "1\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test20
+
+# Description: (21) Accepts 10 for pw_history_num.
+test "create-policy 21"
+proc test21 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_policy $server_handle {"%s/a" 0 0 0 0 10 0} \
+		{KADM5_POLICY KADM5_PW_HISTORY_NUM}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 5\n"
+    expect {
+	-re "10\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test21
+    
+# Description: (21.5) Rejects 11 for pw_history_num.
+# 01/24/94: pshuang: untried.
+
+test "create-policy 21.5"
+proc test215 {} {
+    global test
+    global prompt
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle {"%s/a" 0 0 0 0 11 0} \
+		{KADM5_POLICY KADM5_PW_HISTORY_NUM}
+    } $test] "BAD_HISTORY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test215
+
+
+# Description: (22) Fails for user with no access bits.
+test "create-policy 22"
+proc test22 {} {
+    global test
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY}
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} test22
+
+# Description: (23) Fails for user with "get" but not "add".
+test "create-policy 23"
+proc test23 {} {
+    global test
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY}
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} test23
+
+# Description: (24) Fails for user with "modify" but not "add".
+# 01/24/94: pshuang: untried.
+test "create-policy 24"
+proc test24 {} {
+    global test
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/modify admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY}
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} test24
+
+# Description: (25) Fails for user with "delete" but not "add".
+# 01/24/94: pshuang: untried.
+test "create-policy 25"
+proc test25 {} {
+    global test
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY}
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} test25
+
+# Description: Succeeds for user with "add".
+test "create-policy 26"
+proc test26 {} {
+    global test
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/add admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY}
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test26
+
+# Description: Succeeds for user with "get" and "add".
+# 01/24/94: pshuang: untried.
+test "create-policy 27"
+proc test27 {} {
+    global test
+
+    if {! (( ! [policy_exists "$test/a"]) ||
+	   [delete_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/get-add admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_create_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_POLICY}
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test27
+
+# Description: (28) Rejects null policy argument.
+# 01/24/94: pshuang: untried.
+test "create-policy 28"
+proc test28 {} {
+    global test
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {
+	kadm5_create_policy $server_handle null {KADM5_POLICY}
+    } "EINVAL"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+        error "$test: unexpected failure in destroy"
+        return
+    }
+}
+test28
+
+test "create-policy 30"
+proc test30 {} {
+    global test
+    one_line_fail_test [format {
+	kadm5_create_policy null [simple_policy "%s/a"] \
+		{KADM5_POLICY}
+    } $test] "BAD_SERVER_HANDLE"
+}
+test30
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/crte-principal.exp b/src/lib/kadm5/unit-test/api.2/crte-principal.exp
new file mode 100644
index 0000000..653d122
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/crte-principal.exp
@@ -0,0 +1,1330 @@
+source lib.t
+api_exit
+api_start
+
+#test "create-principal 1"
+#
+#proc test1 {} {
+#	global test
+#	begin_dump
+#	one_line_fail_test [format {
+#	    kadm5_create_principal $server_handle \
+#		    [simple_principal "%s/a"] {KADM5_PRINCIPAL} "%s/a"
+#	} $test $test] "NOT_INIT"
+#	end_dump_compare "no-diffs"
+#}
+#test1
+
+test "create-principal 2"
+
+proc test2 {} {
+    global test
+    begin_dump
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {
+	kadm5_create_principal $server_handle null \
+		{KADM5_PRINCIPAL} testpass
+    } "EINVAL"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"
+}
+test2
+
+test "create-principal 3"
+proc test3 {} {
+    global test
+#    set prms_id 777
+#    setup_xfail {*-*-*} $prms_id
+    begin_dump
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} null
+    } $test] "EINVAL"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"    
+}
+test3
+
+test "create-principal 4"
+proc test4 {} {
+    global test
+
+    begin_dump    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} ""
+    } $test] "_Q_TOOSHORT"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"     
+}
+test4
+
+test "create-principal 5"
+proc test5 {} {
+    global test
+    begin_dump    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle \
+		[simple_principal "%s/a"] {0x100001} "%s/a"
+    } $test $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"    
+}
+test5
+
+test "create-principal 6"
+proc test6 {} {
+    global test
+    begin_dump        
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_LAST_PWD_CHANGE} "%s/a"
+    } $test $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test6
+
+test "create-principal 7"
+proc test7 {} {
+    global test
+    begin_dump        
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_MOD_TIME} "%s/a"
+    } $test $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test7
+
+test "create-principal 8"
+proc test8 {} {
+    global test
+    begin_dump        
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_MOD_NAME} "%s/a"
+    } $test $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test8
+
+test "create-principal 9"
+proc test9 {} {
+    global test
+    begin_dump        
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_MKVNO} "%s/a"
+    } $test $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test9
+
+test "create-principal 10"
+proc test10 {} {
+    global test
+    begin_dump        
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_AUX_ATTRIBUTES} "%s/a"
+    } $test $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test10
+
+test "create-principal 11"
+proc test11 {} {
+    global test
+    begin_dump        
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_POLICY_CLR} "%s/a"
+    } $test $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test11
+
+test "create-principal 12"
+proc test12 {} {
+    global test
+    begin_dump        
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} testpass
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+
+}
+if {$RPC} { test12 }
+
+test "create-principal 13"
+proc test13 {} {
+    global test
+    begin_dump        
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} testpass
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"    
+}
+if {$RPC} { test13 }
+
+test "create-principal 14"
+proc test14 {} {
+    global test
+    begin_dump        
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/modify admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} testpass
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"    
+}
+if {$RPC} { test14 }
+
+test "create-principal 15"
+proc test15 {} {
+    global test
+    begin_dump    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} testpass
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"    
+}
+if {$RPC} { test15 }
+
+test "create-principal 16"
+proc test16 {} {
+    global test
+    begin_dump        
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} testpass
+    } $test] "AUTH_ADD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+if {$RPC} { test16 }
+
+test "create-principal 17"
+proc test17 {} {
+    global test
+
+    begin_dump    
+    if {! (( [principal_exists "$test/a"]) || [create_principal "$test/a"])} {
+		error_and_restart "$test: couldn't create principal \"$test/a\""
+		return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} testpass
+    } $test] "DUP"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test17
+
+test "create-principal 18"
+proc test18 {} {
+    global test
+
+    begin_dump    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/add admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle \
+		[princ_w_pol "%s/a" test-pol] \
+		{KADM5_PRINCIPAL KADM5_POLICY} tP
+    } $test] "_Q_TOOSHORT"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"    
+}
+test18
+
+test "create-principal 19"
+proc test19 {} {
+    global test
+
+    begin_dump    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle \
+		[princ_w_pol "%s/a" test-pol] \
+		{KADM5_PRINCIPAL KADM5_POLICY} testpassword
+    } $test] "_Q_CLASS"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test19
+
+test "create-principal 20"
+proc test20 {} {
+    global test
+
+    begin_dump    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle \
+		[princ_w_pol "%s/a" test-pol] \
+		{KADM5_PRINCIPAL KADM5_POLICY} Abyssinia
+    } $test] "_Q_DICT"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test20
+
+test "create-principal 21"
+proc test21 {} {
+    global test
+
+    begin_dump    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_create_principal $server_handle \
+		[princ_w_pol "%s/a" non-existant-pol] \
+		{KADM5_PRINCIPAL KADM5_POLICY} NotinTheDictionary
+    } $test] "UNK_POLICY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    end_dump_compare "no-diffs"        
+}
+test21
+
+test "create-principal 23"
+proc test23 {} {
+    global test
+
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    one_line_succeed_test \
+	    [format {kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK} $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test23
+
+test "create-principal 24"
+proc test24 {} {
+    global test
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/rename admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    one_line_succeed_test \
+	    [format {kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK} $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test24 }
+
+
+test "create-principal 28"
+proc test28 {} {
+    global test
+    global prompt
+
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle \
+		[princ_w_pol "%s/a" test-pol] \
+		{KADM5_PRINCIPAL KADM5_POLICY} NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return
+    }
+    send "lindex \$principal 10\n"
+    expect {
+	-re "test-pol.*$prompt$"   { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test28
+
+test "create-principal 29"
+proc test29 {} {
+    global test
+    global prompt
+
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL KADM5_PRINC_EXPIRE_TIME} \
+		inTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    send "lindex \$principal 1\n"
+    expect {
+	-re "0.*$prompt$"   { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test29
+
+test "create-principal 30"
+proc test30 {} {
+    global test
+    global prompt
+
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL KADM5_PW_EXPIRATION} \
+		NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "0.*$prompt$"	    { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test30
+
+test "create-principal 31"
+proc test31 {} {
+    global test
+    global prompt
+    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle \
+		[princ_w_pol "%s/a" test-pol-nopw] \
+		{KADM5_PRINCIPAL KADM5_POLICY \
+		KADM5_PW_EXPIRATION} NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "0.*$prompt$"	    { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test31
+
+test "create-principal 32"
+proc test32 {} {
+    global test
+    global prompt
+    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle \
+		[princ_w_pol "%s/a" test-pol] \
+		{KADM5_PRINCIPAL KADM5_POLICY \
+		KADM5_PW_EXPIRATION} NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol policy}]} {
+	error_and_restart "$test: cannot retrieve policy"
+	return
+    }
+
+    send "lindex \$principal 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set mod_date $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting mod_date"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting mod_date"
+	    return
+	}
+    }
+
+    send "lindex \$principal 3\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_expire $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_expire"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_expire"
+	    return
+	}
+    }
+
+    send "lindex \$policy 2\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_max_life $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_max_life"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_max_life"
+	    return
+	}
+    }
+    if { [expr "$mod_date + $pw_max_life - $pw_expire"] > 5 } {
+	fail "$test: pw_expire is wrong"
+	return
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test32
+
+test "create-principal 33"
+proc test33 {} {
+    global test
+    global prompt
+
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle \
+		{"%s/a" 0 0 1234 0 null 0 0 0 0 null 0} \
+		{KADM5_PRINCIPAL KADM5_PW_EXPIRATION} \
+		NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "1234.*$prompt$"	    { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test33
+
+test "create-principal 34"
+proc test34 {} {
+    global test
+    global prompt
+
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle \
+		{ "%s/a" 0 0 1234 0 null 0 0 0 0 test-pol-nopw 0} \
+		{KADM5_PRINCIPAL KADM5_POLICY \
+		KADM5_PW_EXPIRATION} NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "1234.*$prompt$"	    { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test34
+
+test "create-principal 35"
+proc test35 {} {
+    global test
+    global prompt
+
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle \
+		{"%s/a" 0 0 1234 0 null 0 0 0 0 test-pol 0} \
+		{KADM5_PRINCIPAL KADM5_POLICY \
+		KADM5_PW_EXPIRATION} NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "1234.*$prompt$"	    { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test35
+
+test "create-principal 36"
+proc test36 {} {
+    global test
+    global prompt
+    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle \
+		{"%s/a" 0 0 999999999 0 null 0 0 0 0 test-pol 0} \
+		{KADM5_PRINCIPAL KADM5_POLICY \
+		KADM5_PW_EXPIRATION} NotinTheDictionary
+    } $test]]} {    
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol policy} ]} {
+	error_and_restart "$test: cannot retrieve policy"
+	return
+    }
+
+    send "lindex \$principal 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set mod_date $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting mod_date"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting mod_date"
+	    return
+	}
+    }
+
+    send "lindex \$principal 3\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_expire $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_expire"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_expire"
+	    return
+	}
+    }
+
+    send "lindex \$policy 2\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_max_life $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_max_life"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_max_life"
+	    return
+	}
+    }
+    if { [expr "$mod_date + $pw_max_life - $pw_expire"] > 5 } {
+	fail "$test: pw_expire is wrong"
+	return
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test36
+
+test "create-principal 37"
+proc test37 {} {
+    global test
+    global prompt
+
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "0.*$prompt$"	    { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test37
+
+test "create-principal 38"
+proc test38 {} {
+    global test
+    global prompt
+    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [princ_w_pol "%s/a" \
+		test-pol-nopw] {KADM5_PRINCIPAL KADM5_POLICY} \
+		NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "0.*$prompt$"	    { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test38
+
+test "create-principal 39"
+proc test39 {} {
+    global test
+    global prompt
+    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [princ_w_pol "%s/a" \
+		test-pol] {KADM5_PRINCIPAL KADM5_POLICY} \
+		NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if { ! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: cannot not retrieve principal"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol policy}]} {
+	error_and_restart "$test: cannot retrieve policy"
+	return
+    }
+    send "lindex \$principal 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set mod_date $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting mod_date"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting mod_date"
+	    return
+	}
+    }
+
+    send "lindex \$principal 3\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_expire $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_expire"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_expire"
+	    return
+	}
+    }
+
+    send "lindex \$policy 2\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_max_life $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_max_life"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_max_life"
+	    return
+	}
+    }
+    if { [expr "$mod_date + $pw_max_life - $pw_expire"] > 5 } {
+	fail "$test: pw_expire is wrong"
+	return
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test39
+
+test "create-principal 40"
+proc test40 {} {
+    global test
+    global prompt
+    
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL KADM5_PW_EXPIRATION} \
+		NotinTheDictionary
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: can not retreive principal"
+	return;
+    }
+    send "lindex \$principal 4\n"
+    expect {
+	-re "0.*$prompt$"	    { pass "$test" }
+	timeout			    { fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test40
+
+test "create-principal 43"
+proc test43 {} {
+    global test
+    one_line_fail_test [format {
+	kadm5_create_principal null \
+		    [simple_principal "%s/a"] {KADM5_PRINCIPAL} "%s/a"
+    } $test $test] "BAD_SERVER_HANDLE"
+}
+test43
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/destroy.exp b/src/lib/kadm5/unit-test/api.2/destroy.exp
new file mode 100644
index 0000000..808f0b4
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/destroy.exp
@@ -0,0 +1,203 @@
+source lib.t
+api_exit
+api_start
+
+test "destroy 1"
+
+proc test1 {} {
+	global test
+	begin_dump
+	if {! [cmd {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+	}]} {
+		error "$test: unexpected failure in init"
+		return
+	}
+	one_line_succeed_test {kadm5_destroy $server_handle}
+	end_dump_compare "no-diffs"
+}
+test1
+
+#test "destroy 2"
+#
+#proc test2 {} {
+#	global test
+#	begin_dump
+#	if {! [cmd {
+#	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+#		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+#		    server_handle
+#	}]} {
+#	    error "$test: unexpected failure on init"
+#	    return
+#	}
+#	if {! [cmd {kadm5_destroy $server_handle}]} {
+#		error_and_restart "$test: couldn't close database"
+#		return
+#	}
+#	one_line_fail_test \
+#		{kadm5_get_principal $server_handle admin principal} \
+#		"NOT_INIT"
+#	end_dump_compare "no-diffs"
+#}
+#test2
+
+#test "destroy 3"
+#proc test3 {} {
+#	global test
+#
+#	begin_dump
+#	if {! (( ! [principal_exists "$test/a"]) || [delete_principal "$test/a"])} {
+#	    error_and_restart "$test couldn't delete principal \"$test/a\""
+#	    return
+#	}
+#	if {! [cmd {
+#	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+#		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+#		    server_handle
+#	}]} {
+#	    error "$test: unexpected failure on init"
+#	    return
+#	}
+#	if {! [cmd {kadm5_destroy $server_handle}]} {
+#		error_and_restart "$test: couldn't close database"
+#		return
+#	}
+#	one_line_fail_test [format {
+#	    kadm5_create_principal $server_handle \
+#		    [simple_principal "%s/a"] {KADM5_PRINCIPAL} "%s/a"
+#	} $test $test] "NOT_INIT"
+#	end_dump_compare "no-diffs"
+#}
+#test3
+
+#test "destroy 4"
+#proc test4 {} {
+#	global test prompt
+#
+#	if {! (([principal_exists "$test/a"]) || [create_principal "$test/a"])} {
+#		error_and_restart "$test: couldn't create principal \"$test/a\""
+#		return
+#	}
+#	begin_dump
+#	if {! ([cmd {
+#	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+#		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+#		    server_handle
+#	}] &&
+#	    [cmd [format {
+#		kadm5_get_principal $server_handle "%s/a" principal
+#	    } $test]])} {
+#		error_and_restart "$test: error getting principal"
+#		return;
+#	}
+#	if {! [cmd {kadm5_destroy $server_handle}]} {
+#		error_and_restart "$test: couldn't close database"
+#		return
+#	}
+#	one_line_fail_test [format {
+#	    kadm5_modify_principal $server_handle \
+#		    {"%s/a" 0 0 0 0 0 0 0 %d 0 0 0} {KADM5_KVNO}
+#	} $test "77"] "NOT_INIT"
+#	end_dump_compare "no-diffs"
+#}
+#test4
+
+#test "destroy 5"
+#
+#proc test5 {} {
+#	global test
+#
+#	if {! ([principal_exists "$test/a"] || [create_principal "$test/a"])} {
+#		error_and_restart "$test: couldn't create principal \"$test/a\""
+#		return
+#	}
+#	begin_dump
+#	if {! [cmd {
+#	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+#		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+#		    server_handle
+#	}]} {
+#	    error "$test: unexpected failure on init"
+#	    return
+#	}
+#	if {! [cmd {kadm5_destroy $server_handle}]} {
+#		error_and_restart "$test: couldn't close database"
+#		return
+#	}
+#	one_line_fail_test [format {
+#	    kadm5_delete_principal $server_handle "%s/a"
+#	} $test] "NOT_INIT"
+#	end_dump_compare "no-diffs"
+#}
+#test5
+
+#test	"destroy 6"
+#
+#proc test6 {} {
+#	global test
+#	begin_dump	
+#	one_line_fail_test {kadm5_destroy $server_handle} "NOT_INIT"
+#	end_dump_compare "no-diffs"	
+#}
+#test6
+
+
+#test	"destroy 7"
+#
+#proc test7 {} {
+#	global test
+#	begin_dump	
+#	if {! [cmd {
+#	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+#		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+#		    server_handle
+#	}]} {
+#		error "$test: unexpected failure in init"
+#		return
+#	}
+#	if {! [cmd {kadm5_destroy $server_handle}]} {
+#		error_and_restart "$test: couldn't close database"
+#	}
+#	one_line_fail_test {kadm5_destroy $server_handle} "NOT_INIT"
+#	end_dump_compare "no-diffs"	
+#}
+#test7
+
+test	"destroy 8"
+proc test8 {} {
+	global test
+	begin_dump	
+	if {! [cmd {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}]} {
+		error "$test: unexpected failure in init"
+		return
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+	one_line_succeed_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+	end_dump_compare "no-diffs"		
+}
+test8
+
+test "destroy 9"
+proc test9 {} {
+	global test
+	one_line_fail_test {kadm5_destroy null} "BAD_SERVER_HANDLE"
+}
+test9
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/dlte-policy.exp b/src/lib/kadm5/unit-test/api.2/dlte-policy.exp
new file mode 100644
index 0000000..95a57dc
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/dlte-policy.exp
@@ -0,0 +1,207 @@
+source lib.t
+api_exit
+api_start
+
+test "delete-policy 2"
+proc test2 {} {
+    global test
+#    set prms_id 744
+#    setup_xfail {*-*-*} $prms_id
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test \
+	    {kadm5_delete_policy $server_handle ""} "BAD_POL"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test2
+
+test "delete-policy 5"
+proc test5 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_policy $server_handle "%s/a"
+    } $test] "AUTH_DELETE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if ${RPC} test5
+
+test "delete-policy 6"
+proc test6 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_policy $server_handle "%s/a"
+    } $test] "AUTH_DELETE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if ${RPC} test6
+
+test "delete-policy 7"
+proc test7 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/add admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_policy $server_handle "%s/a"
+    } $test] "AUTH_DELETE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} test7
+
+test "delete-policy 10"
+proc test10 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_delete_policy $server_handle  "%s/a"
+    } $test]]} {
+	fail "$test"
+	return
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    if { [policy_exists "$test/a"]} {
+	fail "$test"
+	return
+    }
+}
+test10
+
+test "delete-policy 12"
+proc test12 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+    if {! ((! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test unexecpted failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [princ_w_pol "%s/a" \
+		"%s/a"] {KADM5_PRINCIPAL KADM5_POLICY} \
+		NotinTheDictionary
+    } $test $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test \
+	    {kadm5_delete_policy $server_handle test-pol} "POLICY_REF"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test12
+
+test "delete-policy 13"
+proc test13 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_policy null "%s/a"
+    } $test] "BAD_SERVER_HANDLE"
+}
+test13
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/dlte-principal.exp b/src/lib/kadm5/unit-test/api.2/dlte-principal.exp
new file mode 100644
index 0000000..fe157e8
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/dlte-principal.exp
@@ -0,0 +1,329 @@
+source lib.t
+
+api_exit
+api_start
+
+#test "delete-principal 1"
+#proc test1 {} {
+#	global test
+#	one_line_fail_test [format {
+#	    kadm5_delete_principal $server_handle "%s/a"
+#	} $test] "NOT_INIT"
+#}
+#test1
+
+test "delete-principal 2"
+proc test2 {} {
+    global test
+   
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	error_and_restart "$test: couldn't delete principal \"$test/a\""
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test \
+	    {kadm5_delete_principal $server_handle null} "EINVAL"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error_and_restart "$test: unexpected failure in destroy"
+	return
+    }
+}
+test2
+
+test "delete-principal 5"
+proc test5 {} {
+    global test
+   
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	error_and_restart "$test: couldn't delete principal \"$test/a\""
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_principal $server_handle "%s/a"
+    } $test] "UNK_PRINC"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test5
+
+test "delete-principal 6"
+proc test6 {} {
+    global test
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal_pol "$test/a" test-pol])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_principal $server_handle "%s/a"
+    } $test] "AUTH_DELETE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test6 }
+    
+	
+test "delete-principal 7"
+proc test7 {} {
+    global test
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/add admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_principal $server_handle "%s/a"
+    } $test] "AUTH_DELETE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test7 }
+    
+	
+test "delete-principal 8"
+proc test8 {} {
+    global test
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/modify admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_principal $server_handle "%s/a"
+    } $test] "AUTH_DELETE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test8 }
+
+test "delete-principal 9"
+proc test9 {} {
+    global test
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_principal $server_handle "%s/a"
+    } $test] "AUTH_DELETE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test9 }
+
+test "delete-principal 10"
+proc test10 {} {
+    global test
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_delete_principal $server_handle "%s/a"
+    } $test] "AUTH_DELETE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test10 }
+
+test "delete-principal 11"
+proc test11 {} {
+    global test
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_delete_principal $server_handle "%s/a"
+    } $test]]} {
+	fail "$test: delete failed"
+	return;
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    if { [principal_exists "$test/a"] } {
+	fail "$test"
+	return
+    }
+}
+test11
+
+test "delete-principal 12"
+proc test12 {} {
+    global test
+    global prompt
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal_pol "$test/a" test-pol])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]}  {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_delete_principal $server_handle "%s/a"
+    } $test]]} {
+	fail "$test: delete failed"
+	return
+    }
+    if { [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	fail "$test: principal still exists"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    send "lindex \$p1 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    
+    send "lindex \$p2 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { [expr "$oldref - 1"] != $newref } {
+	fail "$test: policy reference count is wrong"
+	return;
+    }
+    pass "$test"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+
+test12
+
+test "delete-principal 13"
+proc test13 {} {
+	global test
+	one_line_fail_test [format {
+	    kadm5_delete_principal null "%s/a"
+	} $test] "BAD_SERVER_HANDLE"
+}
+test13
+    
+return ""
+
+
+
+
+
diff --git a/src/lib/kadm5/unit-test/api.2/get-policy.exp b/src/lib/kadm5/unit-test/api.2/get-policy.exp
new file mode 100644
index 0000000..ff41c17
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/get-policy.exp
@@ -0,0 +1,199 @@
+source lib.t
+api_exit
+api_start
+
+test "get-policy 3"
+proc test3 {} {
+    global test
+#    set prms_id 744
+#    setup_xfail {*-*-*} $prms_id
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+	server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {kadm5_get_policy $server_handle "" p} "BAD_POLICY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test3
+
+test "get-policy 6"
+proc test6 {} {
+    global test
+
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_ADMIN_SERVICE null \
+	    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+	    server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {kadm5_get_policy $server_handle test-pol p} \
+	    "AUTH_GET"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } test6
+
+test "get-policy 7"
+proc test7 {} {
+    global test
+
+    if {! [cmd {
+	kadm5_init admin/add admin $KADM5_ADMIN_SERVICE null \
+	    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+	    server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {kadm5_get_policy $server_handle test-pol p} \
+	    "AUTH_GET"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } test7
+
+test "get-policy 11"
+proc test11 {} {
+    global test
+
+    if {! [cmd {
+	kadm5_init admin/get-pol StupidAdmin $KADM5_ADMIN_SERVICE \
+		null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test {kadm5_get_policy $server_handle test-pol p}
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test11
+
+test "get-policy 12"
+proc test12 {} {
+    global test
+
+    if {! [cmd {
+	kadm5_init admin/get-pol StupidAdmin \
+		$KADM5_CHANGEPW_SERVICE null $KADM5_STRUCT_VERSION \
+		$KADM5_API_VERSION_2 server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test \
+	    {kadm5_get_policy $server_handle test-pol-nopw p}
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test12
+
+test "get-policy 15"
+proc test15 {} {
+    global test
+
+    if {! [cmd {
+	kadm5_init admin/pol StupidAdmin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test \
+	    {kadm5_get_policy $server_handle test-pol-nopw p}
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test15
+
+test "get-policy 16"
+proc test16 {} {
+    global test
+
+    if {! [cmd {
+	kadm5_init admin/pol StupidAdmin $KADM5_CHANGEPW_SERVICE \
+		null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test \
+	    {kadm5_get_policy $server_handle test-pol-nopw p}
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test16
+
+test "get-policy 17"
+proc test17 {} {
+    global test
+
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_ADMIN_SERVICE null \
+	    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+	    server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test {kadm5_get_policy $server_handle test-pol p}
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test17
+
+test "get-policy 18"
+proc test18 {} {
+    global test
+
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {kadm5_get_policy $server_handle test-pol p} \
+	    "AUTH_GET"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } test18
+
+test "get-policy 21"
+proc test21 {} {
+    global test
+
+    one_line_fail_test {kadm5_get_policy null "pol1" p} "BAD_SERVER_HANDLE"
+}
+test21
diff --git a/src/lib/kadm5/unit-test/api.2/get-principal-v2.exp b/src/lib/kadm5/unit-test/api.2/get-principal-v2.exp
new file mode 100644
index 0000000..486d1a6
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/get-principal-v2.exp
@@ -0,0 +1,234 @@
+source lib.t
+api_exit
+api_start
+
+test "get-principal 100"
+proc test100 {} {
+    global test prompt
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd {
+	kadm5_get_principal $server_handle testuser p \
+		{KADM5_PRINCIPAL_NORMAL_MASK}
+    }]} {
+	error "$test: unexpected failure in get_principal"
+    }
+    send "lindex \$p 16\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" { set num_keys $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting num_keys"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting num_keys"
+	    return
+	}
+    }
+    send "lindex \$p 17\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" { set num_tl $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting num_tl"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting num_tl"
+	    return
+	}
+    }
+    send "lindex \$p 18\n"
+    expect {
+	-re "({.*})\n$prompt" {set key_data $expect_out(1,string) }
+	-re "\n$prompt" { set key_data {} }
+	timeout {
+	    error_and_restart "$test: timeout getting key_data"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting key_data"
+	    return
+	}
+    }
+    send "lindex \$p 19\n"
+    expect {
+	-re "({.*})\n$prompt" {set tl_data $expect_out(1,string) }
+	-re "\n$prompt" { set tl_data {} }
+	timeout {
+	    error_and_restart "$test: timeout getting tl_data"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting tl_data"
+	    return
+	}
+    }
+    
+    set failed 0
+    if {$num_keys != 0} {
+	fail "$test: num_keys $num_keys should be 0"
+	set failed 1
+    }
+    if {$num_tl != 0} {
+	fail "$test: num_tl $num_tl should be 0"
+	set failed 1
+    }
+    if {$key_data != {}} {
+	fail "$test: key_data $key_data should be {}"
+	set failed 1
+    }
+    if {$tl_data != "{}"} {
+	fail "$test: tl_data $tl_data should be {}"
+	set failed 1
+    }
+    if {$failed == 0} {
+	pass "$test"
+    }
+
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test100
+
+proc test101_102 {rpc} {
+    global test prompt
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd {
+	kadm5_get_principal $server_handle testuser p \
+		{KADM5_PRINCIPAL_NORMAL_MASK KADM5_KEY_DATA}
+    }]} {
+	error "$test: unexpected failure in get_principal"
+    }
+    send "lindex \$p 16\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" { set num_keys $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting num_keys"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting num_keys"
+	    return
+	}
+    }
+    send "lindex \$p 18\n"
+    expect {
+	-re "({.*})\n$prompt" {set key_data $expect_out(1,string) }
+	-re "\n$prompt" { set key_data {} }
+	timeout {
+	    error_and_restart "$test: timeout getting key_data"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting key_data"
+	    return
+	}
+    }
+
+    set failed 0
+    if {$num_keys != 2} {
+	fail "$test: num_keys $num_keys should be 2"
+	set failed 1
+    }
+    for {set i 0} {$i < $num_keys} {incr i} {
+	set key "[lindex [lindex $key_data $i] 2]"
+	if {($rpc && [string compare $key ""] != 0) ||
+	    ((! $rpc) && [string compare $key ""] == 0)} {
+	    fail "$test: key_data $key is wrong"
+	    set failed 1
+	    
+	}
+    }
+    if {$failed == 0} { pass "$test" }
+    
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test "get-principal 101" 
+if {$RPC} {test101_102 $RPC}
+test "get-principal 102" 
+if {! $RPC} {test101_102 $RPC}
+
+test "get-principal 103"
+proc test103 {} {
+    global test prompt
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd {
+	kadm5_get_principal $server_handle testuser p \
+		{KADM5_PRINCIPAL_NORMAL_MASK KADM5_TL_DATA}
+    }]} {
+	error "$test: unexpected failure in get_principal"
+    }
+    send "lindex \$p 17\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" { set num_tl $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting num_tl"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting num_tl"
+	    return
+	}
+    }
+    send "lindex \$p 19\n"
+    expect {
+	-re "({.*})\n$prompt" {set tl_data $expect_out(1,string) }
+	-re "\n$prompt" { set tl_data {} }
+	timeout {
+	    error_and_restart "$test: timeout getting tl_data"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting tl_data"
+	    return
+	}
+    }
+    
+    if {$num_tl == 0} {
+	fail "$test: num_tl $num_tl should not be 0"
+    } elseif {$tl_data == {}} {
+	fail "$test: tl_data $tl_data should not be {}"
+    } else {
+	pass "$test"
+    }
+
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test103
+
+return ""
+
+
+
+
diff --git a/src/lib/kadm5/unit-test/api.2/get-principal.exp b/src/lib/kadm5/unit-test/api.2/get-principal.exp
new file mode 100644
index 0000000..4f91b33
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/get-principal.exp
@@ -0,0 +1,346 @@
+source lib.t
+api_exit
+api_start
+
+test "get-principal 1"
+proc test1 {} {
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test \
+	    {kadm5_get_principal $server_handle null p KADM5_PRINCIPAL_NORMAL_MASK} "EINVAL"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test1
+
+test "get-principal 2"
+proc test2 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	error_and_restart "$test: couldn't create principal \"$test/a\""
+	return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
+    } $test] "UNK_PRINC"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test2
+
+test "get-principal 3"
+proc test3 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	error_and_restart "$test: couldn't create principal \"$test/a\""
+	return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
+    } $test] "AUTH_GET"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test3 }
+    
+test "get-principal 4"
+proc test4 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	error_and_restart "$test: couldn't create principal \"$test/a\""
+	return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/add admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
+    } $test] "AUTH_GET"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test4 }
+
+test "get-principal 5"
+proc test5 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	error_and_restart "$test: couldn't create principal \"$test/a\""
+	return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/modify admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
+    } $test] "AUTH_GET"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test5 }
+
+test "get-principal 6"
+proc test6 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	error_and_restart "$test: couldn't create principal \"$test/a\""
+	return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
+    } $test] "AUTH_GET"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test6 }
+
+test "get-principal 7"
+proc test7 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	error_and_restart "$test: couldn't create principal \"$test/a\""
+	return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
+    } $test] "AUTH_GET"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test7 }
+
+    
+test "get-principal 8"
+proc test8 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	error_and_restart "$test: couldn't create principal \"$test/a\""
+	return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_get_principal $server_handle "%s/a" p KADM5_PRINCIPAL_NORMAL_MASK
+    } $test] "AUTH_GET"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test8 }
+
+    
+test "get-principal 9"
+proc test9 {} {
+    global test
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test \
+	    {kadm5_get_principal $server_handle admin/none p KADM5_PRINCIPAL_NORMAL_MASK} 
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test9
+
+test "get-principal 10"
+proc test10 {} {
+    global test
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test \
+	    {kadm5_get_principal $server_handle admin/none p KADM5_PRINCIPAL_NORMAL_MASK}
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test10
+
+test "get-principal 11"
+proc test11 {} {
+    global test
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test {kadm5_get_principal $server_handle admin/get p KADM5_PRINCIPAL_NORMAL_MASK}
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test11
+
+test "get-principal 12"
+proc test12 {} {
+    global test
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test {kadm5_get_principal $server_handle admin/get p KADM5_PRINCIPAL_NORMAL_MASK}
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test12
+
+test "get-principal 13"
+proc test13 {} {
+    global test
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test {kadm5_get_principal $server_handle admin/add p KADM5_PRINCIPAL_NORMAL_MASK} 
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test13
+
+test "get-principal 14"
+proc test14 {} {
+    global test
+    if {! [cmd {
+	kadm5_init admin/get-mod admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test {kadm5_get_principal $server_handle admin/add p KADM5_PRINCIPAL_NORMAL_MASK}
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test14
+
+test "get-principal 15"
+proc test15 {} {
+    one_line_fail_test \
+	    {kadm5_get_principal null "admin" p KADM5_PRINCIPAL_NORMAL_MASK} "BAD_SERVER_HANDLE"
+}
+test15
+
+return ""
+
+
+
+
diff --git a/src/lib/kadm5/unit-test/api.2/init-v2.exp b/src/lib/kadm5/unit-test/api.2/init-v2.exp
new file mode 100644
index 0000000..5de25d6
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/init-v2.exp
@@ -0,0 +1,545 @@
+source lib.t
+
+api_exit
+api_start
+
+test "init 100"
+proc test100 {} {
+    global test
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_PROFILE} /does-not-exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "ENOENT"
+}
+test100
+
+test "init 101"
+proc test101 {} {
+    global test
+
+    # XXX Fix to work with a remote TEST_SERVER.  For now, make sure
+    # it fails in that case.
+    one_line_succeed_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ADMIN_SERVER KADM5_CONFIG_KADMIND_PORT} {localhost 1751}] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ADMIN_SERVER KADM5_CONFIG_KADMIND_PORT} {localhost 1}] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "RPC_ERROR"
+}
+if {$RPC} test101
+
+test "init 102"
+proc test102 {} {
+    global test
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ADMIN_SERVER} does.not.exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "CONFIG_BADFORMAT"
+}
+if {$RPC} test102
+
+test "init 103"
+proc test103 {} {
+    global test
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_DBNAME} /does-not-exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "ENOENT"
+}
+if {! $RPC} test103
+
+test "init 104"
+proc test104 {} {
+    global test
+
+    # This is slightly lame, but it works: if CONFIG_ADBNAME is obeyed, 
+    # then the lock file will be set based on it, and it won't exist.
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ADBNAME} /does-not-exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "NOLOCKFILE"
+}
+if {! $RPC} test104
+
+test "init 105"
+proc test105 {} {
+    global test
+
+    # The lock info is stored in a static structure so that it applies
+    # to all handles in the process (why?).  We need to restart the api
+    # in order to ensure we are using the new lockfile.
+    api_exit
+    api_start
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ADB_LOCKFILE} /does-not-exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "NOLOCKFILE"
+
+    api_exit
+    api_start
+}
+if {! $RPC} test105
+
+test "init 106"
+proc test106 {} {
+    global test prompt
+    
+    send [string trim {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_MKEY_FROM_KBD} 1] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]
+    send "\n"
+    expect {
+	-re ":$" { set prompting 1}
+	-re "\nOK .*$prompt$" { fail "$test: premature success" }
+	-re "\nERROR .*$prompt$" { fail "$test: premature failure" }
+	timeout { fail "$test: timeout" }
+	eof { fail "$test: eof" }
+    }
+    if {$prompting} {
+	one_line_succeed_test mrroot
+    }
+    if {! [cmd {kadm5_destroy $server_handle}]} {
+	error_and_restart "$test: couldn't close database"
+    }
+}
+if {! $RPC} test106
+
+test "init 107"
+proc test107 {} {
+    global test
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_STASH_FILE} /does-not-exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "KDB_CANTREAD_STORED"
+}
+if {! $RPC} test107
+
+test "init 108"
+proc test108 {} {
+    global test
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_MKEY_NAME} does/not/exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "KDB_NOMASTERKEY"
+}
+if {! $RPC} test108
+
+test "init 109-113"
+proc test109 {} {
+    global test prompt
+
+    delete_principal "$test/a"
+
+    # I'd like to specify flags explicitly and check them, as in the
+    # following config_params, but tcl gets mighty confused if I do and 
+    # I have no idea why.
+#		[config_params {KADM5_CONFIG_MAX_LIFE KADM5_CONFIG_MAX_RLIFE KADM5_CONFIG_EXPIRATION KADM5_CONFIG_FLAGS KADM5_CONFIG_ENCTYPES} {10 20 30 KRB5_KDB_DISALLOW_TGT_BASED {}} ]
+    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_MAX_LIFE KADM5_CONFIG_MAX_RLIFE KADM5_CONFIG_EXPIRATION KADM5_CONFIG_ENCTYPES} {10 20 30 {}} ] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	fail "$test: cannot init with max_life"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_create_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} testpass
+    } $test]]} {
+	fail "$test: can not create principal"
+	return;
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" p \
+		{KADM5_PRINCIPAL_NORMAL_MASK KADM5_KEY_DATA}
+    } $test]]} {
+	fail "$test: can not get principal"
+	return;
+    }
+    send "puts \$p\n"
+    send "lindex \$p 4\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set max_life $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting max_life"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting max_life"
+	    return
+	}
+    }
+    send "lindex \$p 12\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set max_rlife $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting max_rlife"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting max_rlife"
+	    return
+	}
+    }
+    send "lindex \$p 1\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set expiration $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting expiration"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting expiration"
+	    return
+	}
+    }
+    send "lindex \$p 7\n"
+    expect {
+	-re "(\[A-Z_\]*)\n$prompt" {set flags $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting flags"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting flags"
+	    return
+	}
+    }
+    # This sorta worries me.  Since the test is setting ENCTYPES to
+    # nothing, the principal has no keys.  That means that nothing is
+    # printed for the keys in the correct case; but it feels too
+    # likely that nothing will be printed in the case of some problem.
+    send "lindex \$p 18\n"
+    expect {
+	-re "({.*})\n$prompt" {set key_data $expect_out(1,string) }
+	-re "\n$prompt" { set key_data {} }
+	timeout {
+	    error_and_restart "$test: timeout getting flags"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting flags"
+	    return
+	}
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+    if {$max_life == 10} {
+	pass "$test"
+    } else {
+	fail "$test: $max_life is not 10"
+    }
+    if {$max_rlife == 20} {
+	pass "$test"
+    } else {
+	fail "$test: $max_rlife is not 20"
+    }
+    if {$expiration == 30} {
+	pass "$test"
+    } else {
+	fail "$test: $expiration is not 30"
+    }
+    if {$flags == ""} {
+	pass "$test"
+    } else {
+	fail "$test: flags $flags are wrong"
+    }
+    if {$key_data == {}} {
+	pass "$test"
+    } else {
+	fail "$test: key_data $key_data is wrong"
+    }
+}
+if {! $RPC} test109
+
+test "init 114"
+proc test114 {} {
+    global test
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ADMIN_SERVER} does.not.exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_SERVER_PARAMS"
+}
+if {! $RPC} test114
+
+test "init 115"
+proc test115 {} {
+    global test
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_DBNAME} does.not.exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ADBNAME} does.not.exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ACL_FILE} does.not.exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_DICT_FILE} does.not.exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ADMIN_KEYTAB} does.not.exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_MKEY_FROM_KBD} 0] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_STASH_FILE} does.not.exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_MKEY_NAME} does.not.exist] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ENCTYPE} 0] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_MAX_LIFE} 0] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_MAX_RLIFE} 0] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_EXPIRATION} 0] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_FLAGS} 0] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+
+    one_line_fail_test {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+		[config_params {KADM5_CONFIG_ENCTYPES} {{}}] \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "BAD_CLIENT_PARAMS"
+}
+if {$RPC} test115
+
+test "init 116"
+proc test116 {} {
+    global test
+
+    delete_principal "$test/a"
+
+    if {! [cmd {kadm5_init admin/get-add admin $KADM5_ADMIN_SERVICE \
+	    null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+	    get_add_handle}]} {
+	error_and_restart "$test: couldn't init with admin/get-add"
+    }
+
+    if {! [cmd {kadm5_init admin/mod-delete admin $KADM5_ADMIN_SERVICE \
+	    null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+	    mod_delete_handle}]} {
+	error_and_restart "$test: couldn't init with admin/get-add"
+    }
+
+    one_line_succeed_test {
+	kadm5_get_principal $get_add_handle testuser p \
+		KADM5_PRINCIPAL_NORMAL_MASK
+    }
+    one_line_succeed_test [format {
+	kadm5_create_principal $get_add_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} testpass
+    } $test]
+    one_line_fail_test { 
+	kadm5_modify_principal $get_add_handle [simple_principal testuser] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } "AUTH_MODIFY"
+    one_line_fail_test {
+	kadm5_delete_principal $get_add_handle testuser
+    } "AUTH_DELETE"
+
+    one_line_fail_test {
+	kadm5_get_principal $mod_delete_handle testuser p \
+		KADM5_PRINCIPAL_NORMAL_MASK
+    } "AUTH_GET"
+    one_line_fail_test [format {
+	kadm5_create_principal $mod_delete_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL} testpass
+    } $test] "AUTH_ADD"
+    one_line_succeed_test { 
+	kadm5_modify_principal $mod_delete_handle [simple_principal testuser] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    }
+    one_line_succeed_test [format {
+	kadm5_delete_principal $mod_delete_handle "%s/a"
+    } $test]
+
+    if {! [cmd {kadm5_destroy $get_add_handle}]} {
+	error_and_restart "$test: couldn't close get_add_handle"
+    }
+    if {! [cmd {kadm5_destroy $mod_delete_handle}]} {
+	error_and_restart "$test: couldn't close mod_delete_handle"
+    }
+}
+if {$RPC} test116
+    
+send "puts \$KADM5_ADMIN_SERVICE\n"
+expect {
+    -re "(\[a-zA-Z/@\]+)\n$prompt" {
+	set KADM5_ADMIN_SERVICE $expect_out(1,string) 
+    }
+    default {
+	error_and_restart "$test: timeout/eof getting admin_service"
+	return
+    }
+}
+
+send "puts \$KADM5_CHANGEPW_SERVICE\n"
+expect {
+    -re "(\[a-zA-Z/@\]+)\n$prompt" {
+	set KADM5_CHANGEPW_SERVICE $expect_out(1,string) 
+    }
+    default {
+	error_and_restart "$test: timeout/eof getting changepw_service"
+	return
+    }
+}
+
+test "init 150"
+proc test150 {} {
+    global test KADM5_ADMIN_SERVICE
+
+    set env(KRB5CCNAME) /tmp/krb5cc_kadm5_init_v2
+    kdestroy
+    kinit testuser notathena "-S $KADM5_ADMIN_SERVICE"
+    one_line_succeed_test {
+	kadm5_init_with_creds testuser null $KADM5_ADMIN_SERVICE \
+		null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }
+    kdestroy
+}
+if {$RPC} test150
+
+test "init 151"
+proc test151 {} {
+    global test KADM5_CHANGEPW_SERVICE
+
+    set env(KRB5CCNAME) /tmp/krb5cc_kadm5_init_v2
+    kdestroy
+    kinit testuser notathena "-S $KADM5_CHANGEPW_SERVICE"
+    one_line_succeed_test {
+	kadm5_init_with_creds testuser null $KADM5_CHANGEPW_SERVICE \
+		null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }
+    kdestroy
+}
+if {$RPC} test151
+
+test "init 152"
+proc test152 {} {
+    global test KADM5_ADMIN_SERVICE
+
+    kdestroy
+    one_line_fail_test {
+	kadm5_init_with_creds testuser null $KADM5_ADMIN_SERVICE \
+		null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "GSS_ERROR"
+}
+if {$RPC} test152
+
+test "init 153"
+proc test153 {} {
+    global test KADM5_ADMIN_SERVICE
+
+    set env(KRB5CCNAME) /tmp/krb5cc_kadm5_init_v2
+    kinit testuser notathena
+    one_line_fail_test {
+	kadm5_init_with_creds testuser null $KADM5_ADMIN_SERVICE \
+		null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } "GSS_ERROR"
+}
+if {$RPC} test153
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/init.exp b/src/lib/kadm5/unit-test/api.2/init.exp
new file mode 100644
index 0000000..97a99e0
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/init.exp
@@ -0,0 +1,731 @@
+source lib.t
+
+# Assumptions:
+# 
+# Principal "admin" exists, with "get", "add", "modify" and "delete"
+#   access bits and password "admin".
+# The string "not-the-password" isn't the password of any user in the database.
+# Database master password is "mrroot".
+
+api_exit
+api_start
+test "init 1"
+
+one_line_fail_test_nochk \
+	{kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+	[config_params {KADM5_CONFIG_REALM} {""}] \
+	 $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 server_handle}
+
+test "init 2"
+
+one_line_fail_test_nochk \
+	{kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+	[config_params {KADM5_CONFIG_REALM} {@}] \
+	 $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 server_handle}
+
+test "init 2.5"
+
+one_line_fail_test_nochk \
+	{kadm5_init admin admin $KADM5_ADMIN_SERVICE \
+	[config_params {KADM5_CONFIG_REALM} {BAD.REALM}] \
+	 $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 server_handle}
+
+test "init 3"
+
+proc test3 {} {
+    global test
+    if {! ([principal_exists "$test/a"] || [create_principal "$test/a"])} {
+	error_and_restart "$test: couldn't create principal \"$test/a\""
+	return
+    }
+    one_line_fail_test_nochk [format {
+	kadm5_init admin admin "%s/a" null $KADM5_STRUCT_VERSION \
+		$KADM5_API_VERSION_2 server_handle
+    } $test]
+}
+if {$RPC} { test3 }
+
+test "init 4"
+
+proc test4 {} {
+    global test
+	if {! ((! [principal_exists "$test/a"]) || 
+         [delete_principal "$test/a"])} {
+		error_and_restart "$test: couldn't delete principal \"$test/a\""
+		return
+	}
+		
+	one_line_fail_test_nochk [format {
+	    kadm5_init admin admin "%s/a" null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	} $test]
+}
+if {$RPC} { test4 }
+
+test "init 5"
+
+if {$RPC} {
+    one_line_fail_test_nochk {
+	kadm5_init admin admin admin null $KADM5_STRUCT_VERSION \
+		$KADM5_API_VERSION_2 server_handle
+    }
+}
+
+test "init 6"
+
+proc test6 {} {
+    global test
+
+    send "kadm5_init admin null \$KADM5_ADMIN_SERVICE null \$KADM5_STRUCT_VERSION \$KADM5_API_VERSION_2 server_handle\n"
+
+    expect {
+	{Enter password:} { }
+	eof {
+		fail "$test: eof instead of password prompt"
+		api_exit
+		api_start
+		return
+	}
+	timeout {
+	    fail "$test: timeout instead of password prompt"
+	    return
+	}
+    }
+    one_line_succeed_test "admin"
+    if {! [cmd {kadm5_destroy $server_handle}]} {
+	error_and_restart "$test: couldn't close database"
+    }
+}
+if { $RPC } { test6 } 
+
+test "init 7"
+proc test7 {} {
+    global test
+
+    send "kadm5_init admin \"\" \$KADM5_ADMIN_SERVICE null \$KADM5_STRUCT_VERSION \$KADM5_API_VERSION_2 server_handle\n"
+
+    expect {
+	{Enter password:} { }
+	-re "key:$" { }
+	eof {
+		fail "$test: eof instead of password prompt"
+		api_exit
+		api_start
+		return
+	}
+	timeout {
+	    fail "$test: timeout instead of password prompt"
+	    return
+	}
+    }
+    one_line_succeed_test "admin"
+    if {! [cmd {kadm5_destroy $server_handle}]} {
+	error_and_restart "$test: couldn't close database"
+    }
+}
+if { $RPC } { test7 } 
+
+test "init 8"
+
+proc test8 {} {
+    global test
+	if {! ([principal_exists "$test/a"] || [create_principal "$test/a"])} {
+		error_and_restart "$test: couldn't create principal \"$test/a\""
+		return
+	}
+ 	one_line_fail_test_nochk [format {
+	    kadm5_init "%s/a" admin $KADM5_ADMIN_SERVICE null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	} $test]
+}
+if {$RPC} { test8 }
+
+test "init 9"
+
+if {$RPC} {
+    global test
+  one_line_fail_test_nochk {
+      kadm5_init admin not-the-password $KADM5_ADMIN_SERVICE null \
+	      $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+	      server_handle
+  }
+}
+
+test "init 10"
+
+proc test10 {} {
+	global test
+#	set prms_id 562
+#	setup_xfail {*-*-*} $prms_id
+	one_line_fail_test_nochk {
+	    kadm5_init null admin $KADM5_ADMIN_SERVICE null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}
+}
+test10
+
+#test "init 11"
+#
+#proc test11 {} {
+#	global test
+#	set prms_id 563
+#	setup_xfail {*-*-*} $prms_id
+#	one_line_fail_test_nochk {
+#	    kadm5_init "" admin $KADM5_ADMIN_SERVICE null \
+#		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+#		    server_handle
+#	}
+#}
+#test11
+
+test "init 12"
+
+proc test12 {} {
+	global test
+    one_line_fail_test_nochk [format {
+	kadm5_init "%s/a" admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } $test]
+}
+if {$RPC} { test12 }
+
+test "init 13"
+
+proc test13 {} {
+	global test
+    one_line_fail_test_nochk [format {
+	kadm5_init "%s/a@SECURE-TEST.OV.COM" admin \
+		$KADM5_ADMIN_SERVICE null $KADM5_STRUCT_VERSION \
+		$KADM5_API_VERSION_2 server_handle
+    } $test]
+}
+if {$RPC} { test13 }
+
+test "init 14"
+
+proc test14 {} {
+	global test
+    one_line_fail_test_nochk [format {
+	kadm5_init "%s/a@BAD.REALM" admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } $test]
+}
+if {$RPC} { test14 }
+
+test "init 15"
+
+if {$RPC} {
+    one_line_fail_test_nochk {
+	kadm5_init admin@BAD.REALM admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }
+}
+
+test "init 16"
+
+proc test16 {} {
+	global test
+	one_line_succeed_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+test16
+
+test "init 17"
+
+proc test17 {} {
+	global test
+	one_line_succeed_test {
+	    kadm5_init admin@SECURE-TEST.OV.COM admin \
+		    $KADM5_ADMIN_SERVICE null $KADM5_STRUCT_VERSION \
+		    $KADM5_API_VERSION_2 server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+test17
+
+test "init 18"
+
+proc test18 {} {
+	global test
+	one_line_succeed_test {
+	    kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+test18
+
+test "init 19"
+
+proc test19 {} {
+	global test
+	one_line_succeed_test {
+	    kadm5_init admin@SECURE-TEST.OV.COM admin \
+		    $KADM5_ADMIN_SERVICE \
+		    [config_params {KADM5_CONFIG_REALM} {SECURE-TEST.OV.COM}] \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+test19
+
+test "init 20"
+
+proc test20 {} {
+	global test
+  if {! [cmd {
+      kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	      $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+	      server_handle
+  }]} {
+		error_and_restart "$test: couldn't init database"
+		return
+	}
+	one_line_succeed_test \
+		{kadm5_get_principal $server_handle admin principal KADM5_PRINCIPAL_NORMAL_MASK}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+test20
+
+#test "init 21"
+#
+#proc test21 {} {
+#    global test
+#    if {! [cmd {
+#	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+#		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+#		server_handle
+#    }]} {
+#	error_and_restart "$test: couldn't init database"
+#	return
+#    }
+#    one_line_fail_test_nochk {
+#	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+#		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+#		server_handle
+#    }
+#    if {! [cmd {kadm5_destroy $server_handle}]} {
+#	error_and_restart "$test: couldn't close database"
+#    }
+#}
+#test21
+
+
+# proc test22 {} {
+# 	global test prompt
+# 	set prompting 0
+# 	send [string trim {
+# 	    kadm5_init admin null null null $KADM5_STRUCT_VERSION \
+# 		    $KADM5_API_VERSION_2 server_handle
+# 	}]
+# 	send "\n"
+# 	expect {
+# 	    -re ":$" { set prompting 1}
+# 	    -re "\nOK .*$prompt$" { fail "$test: premature success" }
+# 	    -re "\nERROR .*$prompt$" { fail "$test: premature failure" }
+# 		timeout { fail "$test: timeout" }
+# 		eof { fail "$test: eof" }
+# 	}
+# 	if {$prompting} {
+# 	    one_line_succeed_test mrroot
+# 	}
+# 	if {! [cmd {kadm5_destroy $server_handle}]} {
+# 	    error_and_restart "$test: couldn't close database"
+# 	}
+# }
+# if {! $RPC} { test22 }
+# 
+# test "init 22.5"
+# proc test225 {} {
+# 	global test prompt
+# 	set prompting 0
+# 	send [string trim {
+# 	    kadm5_init admin null null null $KADM5_STRUCT_VERSION \
+# 		    $KADM5_API_VERSION_2 server_handle
+# 	}]
+# 	send "\n"
+# 	expect {
+# 	    -re ":$" { set prompting 1}
+# 	    -re "\nOK .*$prompt$" { fail "$test: premature success" }
+# 	    -re "\nERROR .*$prompt$" { fail "$test: premature failure" }
+# 		timeout { fail "$test: timeout" }
+# 		eof { fail "$test: eof" }
+# 	}
+# 	if {$prompting} {
+# 	    one_line_succeed_test mrroot
+# 	}
+# 	if {! [cmd {kadm5_destroy $server_handle}]} {
+# 	    error_and_restart "$test: couldn't close database"
+# 	}
+# }
+# if {! $RPC} { test225 }
+
+test "init 23"
+
+proc test23 {} {
+	global test
+	one_line_succeed_test {
+	    kadm5_init admin not-the-password $KADM5_ADMIN_SERVICE \
+		    null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+if {! $RPC} { test23 }
+
+test "init 24"
+
+proc test24 {} {
+	global test
+	one_line_succeed_test {
+	    kadm5_init admin admin null null $KADM5_STRUCT_VERSION \
+		    $KADM5_API_VERSION_2 server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+if {! $RPC} { test24 }
+
+test "init 25"
+
+proc test25 {} {
+	global test
+	one_line_succeed_test {
+	    kadm5_init admin admin foobar null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+if {! $RPC} { test25 }
+
+test "init 26"
+
+#proc test26 {} {
+#	global test
+#
+#	api_exit
+#	api_start
+#	one_line_fail_test_nochk {
+#	    kadm5_get_principal $server_handle admin principal
+#	}
+#}
+#test26
+
+#test "init 27"
+#
+#proc test27 {} {
+#	global test
+#
+#	if {! ((! [principal_exists "$test/a"]) || [delete_principal "$test/a"])} {
+#		error_and_restart "$test: couldn't delete principal \"$test/a\""
+#		return
+#	}
+#	begin_dump
+#	if {[cmd [format {
+#	    kadm5_create_principal $server_handle [simple_principal \
+#		    "%s/a"] {KADM5_PRINCIPAL} "%s/a"
+#	} $test $test]]} {
+#		fail "$test: unexpected success in add"
+#		return
+#	}
+#	end_dump_compare "no-diffs"
+#}
+#test27
+
+#test "init 28"
+#
+#proc test28 {} {
+#    global test prompt
+#
+#    if {! ([principal_exists "$test/a"] || [create_principal "$test/a"])} {
+#	error_and_restart "$test: couldn't create principal \"$test/a\""
+#	return
+#    }
+#    begin_dump
+#    if {! ([cmd {
+#	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+#		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+#		server_handle
+#    }] && [cmd [format {
+#	kadm5_get_principal $server_handle "%s/a" principal
+#    } $test]])} {
+#	error_and_restart "$test: error getting principal"
+#	return;
+#    }
+#    send "lindex \$principal 8\n"
+#    expect {
+#	-re "\n(\[0-9\]+).*$prompt$" {set kvno $expect_out(1,string) }
+#	timeout {
+#	    error_and_restart "$test: timeout getting principal kvno"
+#	    return
+#	}
+#	eof {
+#	    error_and_restart "$test: eof getting principal kvno"
+#	    return
+#	}
+#    }
+#    api_exit
+#    api_start
+#    set new_kvno [expr "$kvno + 1"]
+#    if {[cmd [format {
+#	kadm5_modify_principal $server_handle \
+#		{"%s/a" 0 0 0 0 0 0 0 %d 0 0 0} {KADM5_KVNO}
+#    } $test $new_kvno]]} {
+#	fail "$test: unexpected success in modify"
+#	return;
+#    }
+#    end_dump_compare "no-diffs"
+#}
+#test28
+
+#test "init 29"
+#
+#proc test29 {} {
+#    global test
+#
+#    if {! ([principal_exists "$test/a"] || [create_principal "$test/a"])} {
+#	error_and_restart "$test: couldn't create principal \"$test/a\""
+#	return
+#    }
+#    begin_dump
+#    if {[cmd [format {
+#	kadm5_delete_principal $server_handle "%s/a"
+#    } $test]]} {
+#	fail "$test: unexpected success in delete"
+#	return
+#    }
+#    end_dump_compare "no-diffs"
+#}
+#test29
+
+test "init 30"
+proc test30 {} {
+	global test
+	if {[cmd {
+	    kadm5_init admin foobar $KADM5_ADMIN_SERVICE null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}]} {
+		error_and_restart "$test: unexpected succsess"
+		return
+	}
+	one_line_succeed_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+if ${RPC} { test30 }
+
+test "init 31"
+proc test31 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $bad_struct_version_mask $KADM5_API_VERSION_2 \
+		    server_handle
+	} "BAD_STRUCT_VERSION" 
+}
+test31
+
+test "init 32"
+proc test32 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $no_struct_version_mask $KADM5_API_VERSION_2 \
+		    server_handle
+	} "BAD_STRUCT_VERSION" 
+}
+test32
+
+test "init 33"
+proc test33 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $old_struct_version $KADM5_API_VERSION_2 \
+		    server_handle
+	} "OLD_STRUCT_VERSION" 
+}
+test33
+
+test "init 34"
+proc test34 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $new_struct_version $KADM5_API_VERSION_2 \
+		    server_handle
+	} "NEW_STRUCT_VERSION" 
+}
+test34
+
+test "init 35"
+proc test35 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $KADM5_STRUCT_VERSION $bad_api_version_mask \
+		    server_handle
+	} "BAD_API_VERSION" 
+}
+test35
+
+test "init 36"
+proc test36 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $KADM5_STRUCT_VERSION $no_api_version_mask \
+		    server_handle
+	} "BAD_API_VERSION" 
+}
+test36
+
+test "init 37"
+proc test37 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $KADM5_STRUCT_VERSION $old_api_version \
+		    server_handle
+	} "OLD_LIB_API_VERSION" 
+}
+if { $RPC } test37
+
+test "init 38"
+proc test38 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $KADM5_STRUCT_VERSION $old_api_version \
+		    server_handle
+	} "OLD_SERVER_API_VERSION" 
+}
+if { ! $RPC } test38
+
+test "init 39"
+proc test39 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $KADM5_STRUCT_VERSION $new_api_version \
+		    server_handle
+	} "NEW_LIB_API_VERSION" 
+}
+if { $RPC } test39
+
+test "init 40"
+proc test40 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $KADM5_STRUCT_VERSION $new_api_version \
+		    server_handle
+	} "NEW_SERVER_API_VERSION" 
+}
+if { ! $RPC } test40
+
+test "init 41"
+proc test41 {} {
+	global test
+	one_line_fail_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $KADM5_API_VERSION_2 $KADM5_STRUCT_VERSION \
+		    server_handle
+	} "BAD_"
+}
+test41
+
+test "init 42"
+proc test42 {} {
+	global test
+	one_line_succeed_test {
+	    kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+	    	    $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		    server_handle
+	}
+	if {! [cmd {kadm5_destroy $server_handle}]} {
+		error_and_restart "$test: couldn't close database"
+	}
+}
+test42
+
+
+proc test45_46 {service} {
+    global test kdb5_edit env
+
+    spawn $kdb5_edit -R "del $service"
+    expect {
+	{Type 'yes' to confirm:} {
+	    send "yes\n"
+	}
+	default {
+	    error "kdb5_edit del failed\n";
+	}
+    }
+    expect eof
+    wait
+
+    one_line_fail_test [concat {kadm5_init admin admin } \
+	    $service \
+	    { null $KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+	    server_handle}] "SECURE_PRINC_MISSING"
+
+    # this leaves the keytab with an incorrect entry
+    exec $kdb5_edit -R "ark $service"
+
+    # restart the api so it gets a new ccache
+    api_exit
+    api_start
+}
+
+if {$RPC} {
+    test "init 45"
+
+    test45_46 ovsec_adm/admin
+
+    test "init 46"
+
+    test45_46 ovsec_adm/changepw
+
+    # re-extract the keytab so it is right
+    exec rm /krb5/ovsec_adm.srvtab
+    exec $env(MAKE_KEYTAB) -princ ovsec_adm/admin -princ ovsec_adm/changepw \
+	    -princ kadmin/admin -princ kadmin/changepw /krb5/ovsec_adm.srvtab
+}
+
+return ""
+
diff --git a/src/lib/kadm5/unit-test/api.2/mod-policy.exp b/src/lib/kadm5/unit-test/api.2/mod-policy.exp
new file mode 100644
index 0000000..07e2e62
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/mod-policy.exp
@@ -0,0 +1,703 @@
+source lib.t
+api_exit
+api_start
+
+test "modify-policy 2"
+proc test2 {} {
+    global test
+
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_PW_MAX_LIFE}
+    } $test] "AUTH_MODIFY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test2 }
+
+test "modify-policy 4"
+proc test4 {} {
+    global test
+    
+    if {! ([policy_exists "$test/a"] ||
+	   [create_policy "$test/a"])} {
+            error_and_restart "$test: couldn't create policy \"$test/a\""
+            return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_REF_COUNT}
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+        error "$test: unexpected failure in destroy"
+        return
+    }
+}
+test4
+
+test "modify-policy 8"
+proc test8 {} {
+    global test
+#    set prms_id 744
+#    setup_xfail {*-*-*} $prms_id
+
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {
+	kadm5_modify_policy $server_handle [simple_policy ""] \
+		{KADM5_PW_MAX_LIFE}
+    } "BAD_POLICY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test8
+
+test "modify-policy 9"
+proc test9 {} {
+    global test
+    global prompt
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_PW_MIN_LIFE}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 1\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test9
+
+test "modify-policy 10"
+proc test10 {} {
+    global test
+    global prompt
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_policy $server_handle {"%s/a" 32 0 0 0 0 0} \
+		{KADM5_PW_MIN_LIFE}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 1\n"
+    expect {
+	-re "32\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test10
+
+
+test "modify-policy 11"
+proc test11 {} {
+    global test
+    global prompt
+    
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_PW_MAX_LIFE}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 2\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test11
+
+test "modify-policy 12"
+proc test12 {} {
+    global test
+    global prompt
+    
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_policy $server_handle {"%s/a" 0 32 0 0 0 0} \
+		{KADM5_PW_MAX_LIFE}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 2\n"
+    expect {
+	-re "32\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test12
+
+test "modify-policy 13"
+proc test13 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_PW_MIN_LENGTH}
+    } $test] "BAD_LENGTH"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test13
+
+test "modify-policy 14"
+proc test14 {} {
+    global test
+    global prompt
+    
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_policy $server_handle {"%s/a" 0 0 8 0 0 0} \
+		{KADM5_PW_MIN_LENGTH}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 3\n"
+    expect {
+	-re "8\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test14
+
+test "modify-policy 15"
+proc test15 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_PW_MIN_CLASSES}
+    } $test] "BAD_CLASS"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test15
+
+test "modify-policy 16"
+proc test16 {} {
+    global test
+    global prompt
+    
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_policy $server_handle {"%s/a" 0 0 0 1 0 0} \
+		{KADM5_PW_MIN_CLASSES}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 4\n"
+    expect {
+	-re "1\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    
+    
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test16
+
+test "modify-policy 17"
+proc test17 {} {
+    global test
+    global prompt
+    
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a"])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_policy $server_handle {"%s/a" 0 0 0 5 0 0} \
+		{KADM5_PW_MIN_CLASSES}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 4\n"
+    expect {
+	-re "5\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test17
+
+test "modify-policy 18"
+proc test18 {} {
+    global test
+    global prompt
+    
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a" ])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_policy $server_handle {"%s/a" 0 0 0 6 0 0} \
+		{KADM5_PW_MIN_CLASSES}
+    } $test] "BAD_CLASS"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test18
+
+test "modify-policy 19"
+proc test19 {} {
+    global test
+    
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a" ])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_PW_HISTORY_NUM}
+    } $test] "BAD_HISTORY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test19
+
+test "modify-policy 20"
+proc test20 {} {
+    global test
+    global prompt
+    
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a" ])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_policy $server_handle {"%s/a" 0 0 0 0 1 0} \
+		{KADM5_PW_HISTORY_NUM}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 5\n"
+    expect {
+	-re "1\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test20
+
+test "modify-policy 21"
+proc test21 {} {
+    global test
+    global prompt
+    
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a" ])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_policy $server_handle {"%s/a" 0 0 0 0 10 0} \
+		{KADM5_PW_HISTORY_NUM}
+    } $test]]} {
+	fail $test
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_policy $server_handle "%s/a" policy
+    } $test]]} {
+	fail "$test: can not retrieve policy"
+	return
+    }
+    send "lindex \$policy 5\n"
+    expect {
+	-re "10\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test21
+
+test "modify-policy 22"
+proc test22 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a" ])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_PW_MAX_LIFE}
+    } $test] "AUTH_MODIFY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} test22
+
+test "modify-policy 23"
+proc test23 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a" ])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_PW_MAX_LIFE}
+    } $test] "AUTH_MODIFY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} test23
+
+test "modify-policy 26"
+proc test26 {} {
+    global test
+    if {! ((  [policy_exists "$test/a"]) ||
+	   [create_policy "$test/a" ])} {
+	    error_and_restart "$test: couldn't create policy \"$test/a\""
+	    return
+    }
+
+    if {! [cmd {
+	kadm5_init admin/modify admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_modify_policy $server_handle [simple_policy "%s/a"] \
+		{KADM5_PW_MAX_LIFE}
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test26
+
+test "modify-policy 30"
+proc test30 {} {
+    global test
+
+    one_line_fail_test [format {
+	kadm5_modify_policy null [simple_policy "%s/a"] \
+		{KADM5_PW_MAX_LIFE}
+    } $test] "BAD_SERVER_HANDLE"
+}
+test30
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/mod-principal.exp b/src/lib/kadm5/unit-test/api.2/mod-principal.exp
new file mode 100644
index 0000000..5e24e08
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/mod-principal.exp
@@ -0,0 +1,1942 @@
+source lib.t
+api_exit
+api_start
+
+#test "modify-principal 1"
+#proc test1 {} {
+#	global test
+#	one_line_fail_test [format {
+#	    kadm5_modify_principal $server_handle [simple_principal \
+#		    "%s/a"] {KADM5_PW_EXPIRATION}
+#	} $test] "NOT_INIT"
+#}
+#test1
+
+test "modify-principal 2"
+proc test2 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } $test] "AUTH_MODIFY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test2 }
+
+test "modify-principal 4"
+proc test4 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINCIPAL}
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test4
+
+
+test "modify-principal 5"
+proc test5 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_LAST_PWD_CHANGE}
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test5
+
+test "modify-principal 6"
+proc test6 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_MOD_TIME}
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test6
+
+test "modify-principal 7"
+proc test7 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_MOD_NAME}
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test7
+
+test "modify-principal 8"
+proc test8 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_MKVNO}
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test8
+
+test "modify-principal 9"
+proc test9 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_AUX_ATTRIBUTES}
+    } $test] "BAD_MASK"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test9
+
+test "modify-principal 10"
+proc test10 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } $test] "UNK_PRINC"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test10
+
+test "modify-principal 11"
+proc test11 {} {
+    global test
+    if {! (( [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/none admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } $test] "AUTH_MOD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } { test11 }
+
+test "modify-principal 12"
+proc test12 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/get admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } $test] "AUTH_MOD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } { test12 }
+
+test "modify-principal 13"
+proc test13 {} {
+    global test
+    if {! (( [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/add admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } $test] "AUTH_MOD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } { test13 }
+
+test "modify-principal 14"
+proc test14 {} {
+    global test
+    if {! (( [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/delete admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } $test] "AUTH_MOD"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } { test14 }
+
+test "modify-principal 15"
+proc test15 {} {
+    global test
+    if {! (( [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/modify admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test15
+
+test "modify-principal 17"
+proc test17 {} {
+    global test
+    if {! (( [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
+		no-policy] {KADM5_POLICY}
+    } $test] "UNK_POLICY"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test17
+
+test "modify-principal 18"
+proc test18 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if { !( [create_principal "$test/a"])} {
+	error_and_restart "$test: could not create principal \"$test/a\""
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]}  {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
+		test-pol] {KADM5_POLICY}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 10\n"
+    expect {
+	-re "test-pol\n$prompt$"	{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    send "lindex \$p1 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    
+    send "lindex \$p2 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { [expr "$oldref + 1"] != $newref } {
+	fail "$test: policy reference count is wrong"
+	return;
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test18
+
+test "modify-principal 19"
+proc test19 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if { !( [create_principal "$test/a"])} {
+	error_and_restart "$test: could not create principal \"$test/a\""
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]}  {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
+		test-pol] {KADM5_POLICY}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 10\n"
+    expect {
+	-re "test-pol\n$prompt$"	{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    send "lindex \$p1 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    
+    send "lindex \$p2 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { [expr "$oldref + 1"] != $newref } {
+	fail "$test: policy reference count is wrong"
+	return;
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test19
+
+test "modify-principal 20"
+proc test20 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if { !( [create_principal_pol "$test/a" "test-pol"])} {
+	error_and_restart "$test: could not create principal \"$test/a\""
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol p1}]}  {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_POLICY_CLR}
+    } $test]]} {
+	error "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 10\n"
+    expect {
+	-re "test-pol\n$prompt$"	{ fail "$test" }
+	timeout				{ pass "$test" }
+    }
+    send "lindex \$p1 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol p2}]} {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    
+    send "lindex \$p2 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { [expr "$oldref - 1"] != $newref } {
+	fail "$test: policy reference count is wrong"
+	return;
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test20
+
+test "modify-principal 21"
+proc test21 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if { !( [create_principal_pol "$test/a" "test-pol"])} {
+	error_and_restart "$test: could not create principal \"$test/a\""
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol old_p1}]}  {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw old_p2}]} {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
+		test-pol-nopw] {KADM5_POLICY}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$old_p1 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set old_p1_ref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    send "lindex \$old_p2 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set old_p2_ref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol new_p1}]} {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol-nopw new_p2}]} {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    
+    send "lindex \$new_p1 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set new_p1_ref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    send "lindex \$new_p2 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set new_p2_ref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { [expr "$old_p1_ref - 1"] != $new_p1_ref } {
+	fail "$test: policy reference count is wrong"
+	return;
+    }
+    if { [expr "$old_p2_ref + 1"] != $new_p2_ref } {
+	fail "$test: policy reference count is wrong"
+	return;
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test21
+
+test "modify-principal 21.5"
+proc test21.5 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if { !( [create_principal_pol "$test/a" "test-pol"])} {
+	error_and_restart "$test: could not create principal \"$test/a\""
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol old_p1}]}  {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
+		test-pol] {KADM5_POLICY}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$old_p1 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set old_p1_ref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol new_p1}]} {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    
+    send "lindex \$new_p1 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set new_p1_ref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+
+    if {$old_p1_ref != $new_p1_ref} {
+	fail "$test: policy reference count changed ($old_p1_ref to $new_p1_ref)"
+	return
+    }
+
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test21.5
+
+test "modify-principal 22"
+proc test22 {} {
+    global test
+    global prompt
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PW_EXPIRATION}
+    } $test]]} {
+	fail "$test: modifiy failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test22
+
+test "modify-principal 23"
+proc test23 {} {
+    global test
+    global prompt
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal_pol "$test/a" test-pol-nopw])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PW_EXPIRATION}
+    } $test]]} {
+	fail "$test: modifiy failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test23
+
+test "modify-principal 24"
+proc test24 {} {
+    global test
+    global prompt
+#    set prms_id 1358
+#    setup_xfail {*-*-*} $prms_id
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal_pol "$test/a" "test-pol" ])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error_and_restart "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PW_EXPIRATION}
+    } $test]]} {
+    	fail "$test: could not modify principal"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_get_policy $server_handle %s policy
+    } test-pol]]} {
+	error_and_restart "$test: cannot retrieve policy"
+	return
+    }
+    send "lindex \$principal 2\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_mod_date $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting mod_date"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_mod_date"
+	    return
+	}
+    }
+
+    send "lindex \$principal 3\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_expire $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_expire"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_expire"
+	    return
+	}
+    }
+
+    send "lindex \$policy 2\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_max_life $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_max_life"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_max_life"
+	    return
+	}
+    }
+    if { [expr "$pw_mod_date + $pw_max_life"] != $pw_expire } {
+	fail "$test: pw_expire is wrong"
+	return
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} { 
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test24
+
+test "modify-principal 25"
+proc test25 {} {
+    global test
+    global prompt
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 0 0 1234 0 0 0 0 0 0 0 0} {KADM5_PW_EXPIRATION}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "1234\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test25
+
+test "modify-principal 26"
+proc test26 {} {
+    global test
+    global prompt
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal_pol "$test/a" "test-pol-nopw" ])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 0 0 1234 0 0 0 0 0 0 0 0} {KADM5_PW_EXPIRATION}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "1234\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test26
+
+test "modify-principal 27"
+proc test27 {} {
+    global test
+    global prompt
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal_pol "$test/a" "test-pol" ])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 0 0 1234 0 0 0 0 0 0 0 0} {KADM5_PW_EXPIRATION}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "1234\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test27
+
+test "modify-principal 28"
+proc test28 {} {
+    global test
+    global prompt
+#    set prms_id 1358
+#    setup_xfail {*-*-*} $prms_id    
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal_pol "$test/a" "test-pol" ])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 0 0 900 0 0 0 0 0 0 0 0} {KADM5_PW_EXPIRATION}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol policy}]} {
+	error_and_restart "$test: cannot retrieve policy"
+	return
+    }
+    send "lindex \$principal 2\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_mod_date $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_mod_date"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_mod_date"
+	    return
+	}
+    }
+
+    send "lindex \$principal 3\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_expire $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_expire"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_expire"
+	    return
+	}
+    }
+    send "lindex \$policy 2\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_max_life $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_max_life"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_max_life"
+	    return
+	}
+    }
+    if { [expr "$pw_mod_date + $pw_max_life"] == $pw_expire } {
+	fail "$test: pw_expire is wrong"
+	return
+    }
+    pass "$test"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test28
+
+test "modify-principal 29"
+proc test29 {} {
+    global test
+    global prompt
+    
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if { ! ([create_principal_pol "$test/a" test-pol])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_POLICY_CLR}
+    } $test]]} {
+	fail "$test: modifiy failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test29
+
+test "modify-principal 30"
+proc test30 {} {
+    global test
+    global prompt
+
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! ([create_principal_pol "$test/a" test-pol])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
+		test-pol-nopw] {KADM5_POLICY}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 3\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test30
+
+test "modify-principal 31"
+proc test31 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! ([create_principal "$test/a"])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
+		test-pol] {KADM5_POLICY}
+    } $test]]} {
+	fail "modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol policy}]} {
+	error_and_restart "$test: cannot retrieve policy"
+	return
+    }
+    send "lindex \$principal 2\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_mod_date $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_mod_date"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_mod_date"
+	    return
+	}
+    }
+
+    send "lindex \$principal 3\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_expire $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_expire"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_expire"
+	    return
+	}
+    }
+
+    send "lindex \$policy 2\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" {set pw_max_life $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting pw_max_life"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting pw_max_life"
+	    return
+	}
+    }
+    if { [expr "$pw_mod_date + $pw_max_life"] != $pw_expire } {
+	fail "$test: pw_expire is wrong"
+	return
+    }
+
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test31
+
+test "modify-principal 32"
+proc test32 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	error_and_restart "$test: couldn't delete principal \"$test/a\""
+	return
+    }
+    if {! ([create_principal "$test/a"])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 1234 0 0 0 0 0 0 0 0 0 0} \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 1\n"
+    expect {
+	-re "1234\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test32
+
+test "modify-principal 33"
+proc test33 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! ([create_principal "$test/a"])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 0 0 0 0 0 0 KRB5_KDB_DISALLOW_ALL_TIX 0 0 0 0} \
+		{KADM5_ATTRIBUTES}
+    } $test]]} {
+	fail "$test: modified fail"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 7\n"
+    expect {
+	-re "KRB5_KDB_DISALLOW_ALL_TIX.*$prompt$"		{ pass "$test" }
+	timeout							{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test33
+
+test "modify-principal 33.25"
+proc test3325 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! ([create_principal "$test/a"])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 0 0 0 0 0 0 KRB5_KDB_REQUIRES_PWCHANGE 0 0 0 0} \
+		{KADM5_ATTRIBUTES}
+    } $test]]} {
+	fail "$test: modified fail"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 7\n"
+    expect {
+	-re "KRB5_KDB_REQUIRES_PWCHANGE.*$prompt$"		{ pass "$test" }
+	timeout							{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test3325
+
+test "modify-principal 33.5"
+proc test335 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! ([create_principal "$test/a"])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 0 0 0 0 0 0 KRB5_KDB_DISALLOW_TGT_BASED 0 0 0 0} \
+		{KADM5_ATTRIBUTES}
+    } $test]]} {
+	fail "$test: modified fail"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 7\n"
+    expect {
+	-re "KRB5_KDB_DISALLOW_TGT_BASED.*$prompt$"		{ pass "$test" }
+	timeout							{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test335
+
+
+test "modify-principal 34"
+proc test34 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! ([create_principal "$test/a"])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 0 0 0 3456 0 0 0 0 0 0 0} {KADM5_MAX_LIFE}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 4\n"
+    expect {
+	-re "3456\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test34
+
+test "modify-principal 35"
+proc test35 {} {
+    global prompt
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! ([create_principal "$test/a"])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd [format {
+	kadm5_modify_principal $server_handle \
+		{"%s/a" 0 0 0 0 0 0 0 7 0 0 0} {KADM5_KVNO}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 8\n"
+    expect {
+	-re "7\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test35
+
+test "modify-principal 36"
+proc test36 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if { !( [create_principal_pol "$test/a" "test-pol"])} {
+	error_and_restart "$test: could not create principal \"$test/a\""
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol pol}]}  {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
+		test-pol] {KADM5_POLICY}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 10\n"
+    expect {
+	-re "test-pol\n$prompt$"	{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    send "lindex \$pol 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set oldref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { ! [cmd {kadm5_get_policy $server_handle test-pol pol2}]} {
+	error "$test: unexpected failure on get policy"
+	return
+    }
+    send "lindex \$pol2 6\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt$" {set newref $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting principal kvno (second time)"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting principal kvno (second time)"
+	    return
+	}
+    }
+    if { $oldref != $newref } {
+	fail "$test: policy reference count is wrong"
+	return;
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test36
+
+test "modify-principal 37"
+proc test37 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if { !( [create_principal "$test/a"])} {
+	error_and_restart "$test: could not create principal \"$test/a\""
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_POLICY_CLR}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test37
+
+test "modify-principal 38"
+proc test38 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! ([create_principal "$test/a"])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 1\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test38
+
+test "modify-principal 39"
+proc test39 {} {
+    global test
+    global prompt
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! ([create_principal "$test/a"])} {
+	error "$test: unexpected failure in creating principal"
+	return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [simple_principal "%s/a"] \
+		{KADM5_MAX_LIFE}
+    } $test]]} {
+	fail "$test: modify failed"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_get_principal $server_handle "%s/a" principal KADM5_PRINCIPAL_NORMAL_MASK
+    } $test]]} {
+	error_and_restart "$test: could not retrieve principal"
+	return
+    }
+    send "lindex \$principal 4\n"
+    expect {
+	-re "0\n$prompt$"		{ pass "$test" }
+	timeout				{ fail "$test" }
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test39
+
+test "modify-principal 40"
+proc test40 {} {
+    global test
+    global prompt
+    
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {
+	kadm5_modify_principal $server_handle null \
+		{KADM5_PRINC_EXPIRE_TIME}
+    } "EINVAL"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test40
+
+test "modify-principal 43"
+proc test43 {} {
+	global test
+	one_line_fail_test [format {
+	    kadm5_modify_principal null [simple_principal \
+		    "%s/a"] {KADM5_PW_EXPIRATION}
+	} $test] "BAD_SERVER_HANDLE"
+}
+test43
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/randkey-principal-v2.exp b/src/lib/kadm5/unit-test/api.2/randkey-principal-v2.exp
new file mode 100644
index 0000000..c3dfd18
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/randkey-principal-v2.exp
@@ -0,0 +1,62 @@
+source lib.t
+api_exit
+api_start
+
+test "randkey-principal 100"
+proc test100 {} {
+    global test prompt
+
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal "$test/a"]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+
+    # I'd like to specify a long list of keysalt tuples and make sure
+    # that randkey does the right thing, but we can only use those
+    # enctypes that krbtgt has a key for: des-cbc-crc:normal and
+    # des-cbc-crc:v4, according to the prototype kdc.conf.
+    if {! [cmd [format {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test]]} {
+	error "$test: unexpected failure in randkey_principal"
+    }
+    send "puts \$num_keys\n"
+    expect {
+	-re "(\[0-9\]+)\n$prompt" { set num_keys $expect_out(1,string) }
+	timeout {
+	    error_and_restart "$test: timeout getting num_keys"
+	    return
+	}
+	eof {
+	    error_and_restart "$test: eof getting num_keys"
+	    return
+	}
+    }
+
+    # XXX Perhaps I should actually check the key type returned.
+    if {$num_keys == 1} {
+	pass "$test"
+    } else {
+	fail "$test: $num_keys keys, should be 1"
+    }
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test100
+
+return ""
diff --git a/src/lib/kadm5/unit-test/api.2/randkey-principal.exp b/src/lib/kadm5/unit-test/api.2/randkey-principal.exp
new file mode 100644
index 0000000..d693a2a
--- /dev/null
+++ b/src/lib/kadm5/unit-test/api.2/randkey-principal.exp
@@ -0,0 +1,319 @@
+source lib.t
+api_exit
+api_start
+
+test "randkey-principal 1"
+proc test1 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal_pol "$test/a" once-a-min]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+    
+    if {! [cmd [format {
+	kadm5_init "%s/a" "%s/a" $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } $test $test]]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test] "PASS_TOOSOON"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test1 } 
+
+test "randkey-principal 3"
+proc test3 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal_pol "$test/a" once-a-min]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+    
+    if {! [cmd [format {
+	kadm5_init "%s/a" "%s/a" $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } $test $test]]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test] "PASS_TOOSOON"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if ${RPC} { test3 } 
+
+test "randkey-principal 13"
+proc test13 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_modify_principal $server_handle [princ_w_pol "%s/a" \
+		once-a-min] KADM5_POLICY
+    } $test]]} {
+	error "$test: failed modify"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test13
+
+test "randkey-principal 15"
+proc test15 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal_pol "$test/a" once-a-min]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+    
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test] "AUTH_CHANGEPW"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if { $RPC } { test15 }
+
+test "randkey-principal 28"
+proc test28 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test28
+
+test "randkey-principal 28.25"
+proc test2825 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin admin $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test] "AUTH"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+if {$RPC} { test2825 }
+
+test "randkey-principal 28.5"
+proc test285 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [cmd {
+	kadm5_init admin/modify admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test285
+
+test "randkey-principal 30"
+proc test30 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't delete principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal "$test/a"]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+    if {! [cmd [format {
+	kadm5_init "%s/a" "%s/a" $KADM5_CHANGEPW_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } $test $test]]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test30
+
+test "randkey-principal 31"
+proc test31 {} {
+    global test
+    if {! (( ! [principal_exists "$test/a"]) ||
+	   [delete_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if {! [create_principal "$test/a"]} {
+	error_and_restart "$test: creating principal"
+	return
+    }
+    
+    if {! [cmd [format {
+	kadm5_init "%s/a" "%s/a" $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    } $test $test]]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_succeed_test [format {
+	kadm5_randkey_principal $server_handle "%s/a" keys num_keys
+    } $test]
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test31
+
+test "randkey-principal 32"
+proc test32 {} {
+    global test
+
+    if { ! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test {
+	kadm5_randkey_principal $server_handle kadmin/history keys num_keys
+    } "PROTECT"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+test32
+
+test "randkey-principal 33"
+proc test33 {} {
+    global test
+    if {! ((  [principal_exists "$test/a"]) ||
+	   [create_principal "$test/a"])} {
+	    error_and_restart "$test: couldn't create principal \"$test/a\""
+	    return
+    }
+    if { ! [cmd {
+	kadm5_init admin admin $KADM5_ADMIN_SERVICE null \
+		$KADM5_STRUCT_VERSION $KADM5_API_VERSION_2 \
+		server_handle
+    }]} {
+	error "$test: unexpected failure in init"
+	return
+    }
+    one_line_fail_test [format {
+	kadm5_randkey_principal null "%s/a" keys num_keys
+    } $test] "BAD_SERVER_HANDLE"
+    if { ! [cmd {kadm5_destroy $server_handle}]} {
+	error "$test: unexpected failure in destroy"
+	return
+    }
+}
+
+test33
+
+return ""
author	Marc Horowitz <marc@mit.edu>	1996-07-22 20:49:46 +0000
committer	Marc Horowitz <marc@mit.edu>	1996-07-22 20:49:46 +0000
commit	edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1 (patch)
tree	6c2974a97b448c040fa4a31708ec5e02f187526c /src/lib/kadm5/unit-test/api.2
parent	013bb1391582ed9e653ae706e398ddb8d08cfcc9 (diff)
download	krb5-edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1.zip krb5-edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1.tar.gz krb5-edf8b4d8a6a665c2aa150993cd813ea6c5cf12e1.tar.bz2