r8983: The KVNO (Kerberos key version number) should be incremented with

every password set.

Andrew Bartlett
(This used to be commit 71958cb19f8a2289e97f29018bb252a7d4540258)

1 files changed, 4 insertions, 0 deletions

diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index d251c02eca..48abc7cfde 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -510,6 +510,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
 	struct samr_Password *new_lmPwdHistory, *new_ntPwdHistory;
 	struct samr_Password local_lmNewHash, local_ntNewHash;
 	int lmPwdHistory_len, ntPwdHistory_len;
+	uint_t kvno;
 	struct ldb_message **res;
 	int count;
 	time_t now = time(NULL);
@@ -534,6 +535,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
 	lmPwdHash =          samdb_result_hash(res[0],   "lmPwdHash");
 	ntPwdHash =          samdb_result_hash(res[0],   "ntPwdHash");
 	pwdLastSet =         samdb_result_uint64(res[0], "pwdLastSet", 0);
+	kvno =               samdb_result_uint(res[0],   "msDS-KeyVersionNumber", 0);
 
 	/* pull the domain parameters */
 	count = gendb_search_dn(ctx, mem_ctx, domain_dn, &res, domain_attrs);
@@ -679,6 +681,8 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
 	}
 
 	CHECK_RET(samdb_msg_add_uint64(ctx, mem_ctx, mod, "pwdLastSet", now_nt));
+
+	CHECK_RET(samdb_msg_add_uint(ctx, mem_ctx, mod, "msDS-KeyVersionNumber", kvno + 1));
 	
 	if (pwdHistoryLength == 0) {
 		CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "lmPwdHistory"));