diff --git a/selftest/selftest.pl b/selftest/selftest.pl
index d14df92a11c..89f98d03d2b 100755
--- a/selftest/selftest.pl
+++ b/selftest/selftest.pl
@@ -22,6 +22,7 @@ use warnings;
 use FindBin qw($RealBin $Script);
 use File::Spec;
 use File::Temp qw(tempfile);
+use File::Path qw(remove_tree);
 use Getopt::Long;
 use POSIX;
 use Cwd qw(abs_path);
@@ -501,67 +502,38 @@ sub write_clientconf($$$)
 
 	mkdir("$clientdir", 0777) unless -d "$clientdir";
 
-	if ( -d "$clientdir/private" ) {
-	        unlink <$clientdir/private/*>;
-	} else {
-	        mkdir("$clientdir/private", 0777);
-	}
+	my @subdirs = (
+		{ name => "private", mask => 0777 },
+		{ name => "bind-dns", mask => 0777 },
+		{ name => "lockdir", mask => 0777 },
+		{ name => "statedir", mask => 0777 },
+		{ name => "cachedir", mask => 0777 },
+		{ name => "pkinit", mask => 0700 },
+		# the ncalrpcdir needs exactly 0755 otherwise tests fail.
+		{ name => "ncalrpcdir", mask => 0755, umask => 0022 },
+	);
 
-	if ( -d "$clientdir/bind-dns" ) {
-	        unlink <$clientdir/bind-dns/*>;
-	} else {
-	        mkdir("$clientdir/bind-dns", 0777);
+	foreach my $sub (@subdirs) {
+		my $dir = "$clientdir/$sub->{name}";
+		remove_tree($dir);
+		my $mask = umask;
+		if (defined($sub->{umask})) {
+			umask $sub->{umask};
+		}
+		mkdir($dir, $sub->{mask});
+		umask $mask;
 	}
 
-	if ( -d "$clientdir/lockdir" ) {
-	        unlink <$clientdir/lockdir/*>;
-	} else {
-	        mkdir("$clientdir/lockdir", 0777);
-	}
-
-	if ( -d "$clientdir/statedir" ) {
-	        unlink <$clientdir/statedir/*>;
-	} else {
-	        mkdir("$clientdir/statedir", 0777);
-	}
-
-	if ( -d "$clientdir/cachedir" ) {
-	        unlink <$clientdir/cachedir/*>;
-	} else {
-	        mkdir("$clientdir/cachedir", 0777);
-	}
-
-	# this is ugly, but the ncalrpcdir needs exactly 0755
-	# otherwise tests fail.
-	my $mask = umask;
-	umask 0022;
-	if ( -d "$clientdir/ncalrpcdir/np" ) {
-	        unlink <$clientdir/ncalrpcdir/np/*>;
-		rmdir "$clientdir/ncalrpcdir/np";
-	}
-	if ( -d "$clientdir/ncalrpcdir" ) {
-	        unlink <$clientdir/ncalrpcdir/*>;
-		rmdir "$clientdir/ncalrpcdir";
-	}
-	mkdir("$clientdir/ncalrpcdir", 0755);
-	umask $mask;
-
 	my $cadir = "$ENV{SRCDIR_ABS}/selftest/manage-ca/CA-samba.example.com";
 	my $cacert = "$cadir/Public/CA-samba.example.com-cert.pem";
 	my $cacrl_pem = "$cadir/Public/CA-samba.example.com-crl.pem";
 	my $ca_users_dir = "$cadir/Users";
 
-	if ( -d "$clientdir/pkinit" ) {
-	        unlink <$clientdir/pkinit/*>;
-	} else {
-	        mkdir("$clientdir/pkinit", 0700);
-	}
-
 	# each user has a USER-${USER_PRINCIPAL_NAME}-cert.pem and
 	# USER-${USER_PRINCIPAL_NAME}-private-key.pem symlink
 	# We make a copy here and make the certificated easily
 	# accessable in the client environment.
-	$mask = umask;
+	my $mask = umask;
 	umask 0077;
 	opendir USERS, "${ca_users_dir}" or die "Could not open dir '${ca_users_dir}': $!";
 	for my $d (readdir USERS) {