r12719: Rename unicodePwd -> sambaPassword.

Because we don't know the syntax of unicodePwd, we want to avoid using
that attribute name.  It may cause problems later when we get
replication form windows.

I'm doing this before the tech preview, so we don't get too many
supprises as folks upgrade databases into later versions.

Andrew Bartlett
(This used to be commit 097d9d0b7fd3b1a10fb7039f0671fd459bed2d1b)

6 files changed, 35 insertions, 48 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index b8554e4885..80017548d2 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -25,7 +25,7 @@
  *
  *  Component: ldb password_hash module
  *
- *  Description: correctly update hash values based on changes to unicodePwd and friends
+ *  Description: correctly update hash values based on changes to sambaPassword and friends
  *
  *  Author: Andrew Bartlett
  */
@@ -46,7 +46,7 @@
 /* If we have decided there is reason to work on this request, then
  * setup all the password hash types correctly.
  *
- * If the administrator doesn't want the unicodePwd stored (set in the
+ * If the administrator doesn't want the sambaPassword stored (set in the
  * domain and per-account policies) then we must strip that out before
  * we do the first operation.
  *
@@ -71,7 +71,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
 	uint_t pwdProperties, pwdHistoryLength;
 	uint_t userAccountControl;
 	const char *dnsDomain, *realm;
-	const char *unicodePwd;
+	const char *sambaPassword;
 	struct samr_Password *lmPwdHistory, *ntPwdHistory;
 	struct samr_Password *lmPwdHash, *ntPwdHash;
 	struct samr_Password *lmOldHash = NULL, *ntOldHash = NULL;
@@ -119,10 +119,10 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
 
 	/* Do the original action */
 	
-	/* If no part of this touches the unicodePwd, then we don't
+	/* If no part of this touches the sambaPassword, then we don't
 	 * need to make any changes.  For password changes/set there should
 	 * be a 'delete' or a 'modify' on this attribute. */
-	if ((attribute = ldb_msg_find_element(msg, "unicodePwd")) == NULL ) {
+	if ((attribute = ldb_msg_find_element(msg, "sambaPassword")) == NULL ) {
 		return ldb_next_request(module, req);
 	}
 
@@ -155,35 +155,35 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
 	msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
 
 	/* look again, this time at the copied attribute */
-	if (!msg2 || (attribute = ldb_msg_find_element(msg2, "unicodePwd")) == NULL ) {
+	if (!msg2 || (attribute = ldb_msg_find_element(msg2, "sambaPassword")) == NULL ) {
 		/* Gah?  where did it go?  Oh well... */
 		return LDB_ERR_OPERATIONS_ERROR;
 	}
 
-	/* Wipe out the unicodePwd attribute set, we will handle it in
+	/* Wipe out the sambaPassword attribute set, we will handle it in
 	 * the second modify.  We might not want it written to disk */
 	
 	if (req->operation == LDB_REQ_ADD) {
 		if (attribute->num_values != 1) {
 			ldb_set_errstring(module, 
-					  talloc_asprintf(mem_ctx, "unicodePwd_handle: "
-							  "attempted set of multiple unicodePwd attributes on %s rejected",
+					  talloc_asprintf(mem_ctx, "sambaPassword_handle: "
+							  "attempted set of multiple sambaPassword attributes on %s rejected",
 							  ldb_dn_linearize(mem_ctx, dn)));
 			return LDB_ERR_CONSTRAINT_VIOLAION;
 		}
 	
-		unicodePwd = (const char *)attribute->values[0].data;
-		ldb_msg_remove_attr(msg2, "unicodePwd");
+		sambaPassword = (const char *)attribute->values[0].data;
+		ldb_msg_remove_attr(msg2, "sambaPassword");
 	} else if (((attribute->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_ADD)
 		   || ((attribute->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_REPLACE)) {
 		if (attribute->num_values != 1) {
 			return LDB_ERR_CONSTRAINT_VIOLAION;
 		}
 		
-		unicodePwd = (const char *)attribute->values[0].data;
-		ldb_msg_remove_attr(msg2, "unicodePwd");
+		sambaPassword = (const char *)attribute->values[0].data;
+		ldb_msg_remove_attr(msg2, "sambaPassword");
 	} else {
-		unicodePwd = NULL;
+		sambaPassword = NULL;
 	}
 
 	modified_orig_request = talloc(mem_ctx, struct ldb_request);
@@ -289,11 +289,11 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
 	
 	if (!objectclasses || !ldb_msg_find_val(objectclasses, &person_val)) {
 		/* Not a 'person', so the rest of this doesn't make
-		 * sense.  How we got a unicodePwd this far I don't
+		 * sense.  How we got a sambaPassword this far I don't
 		 * know... */
 		ldb_set_errstring(module, 
 				  talloc_asprintf(mem_ctx, "password_hash_handle: "
-						  "attempted set of unicodePwd on non-'person' object %s rejected",
+						  "attempted set of sambaPassword on non-'person' object %s rejected",
 						  ldb_dn_linearize(mem_ctx, dn)));
 		talloc_free(mem_ctx);
 		return LDB_ERR_CONSTRAINT_VIOLAION;
@@ -360,7 +360,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
 	CHECK_RET(ldb_msg_add_empty(modify_msg, "krb5Key", LDB_FLAG_MOD_REPLACE));
 	/* Yay, we can compute new password hashes from the unicode
 	 * password */
-	if (unicodePwd) {
+	if (sambaPassword) {
 		Principal *salt_principal;
 		const char *user_principal_name = ldb_msg_find_string(res->msgs[0], "userPrincipalName", NULL);
 		
@@ -368,12 +368,12 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
 		size_t num_keys;
 
 		/* compute the new nt and lm hashes */
-		if (E_deshash(unicodePwd, local_lmNewHash.hash)) {
+		if (E_deshash(sambaPassword, local_lmNewHash.hash)) {
 			lmPwdHash = &local_lmNewHash;
 		} else {
 			lmPwdHash = NULL;
 		}
-		E_md4hash(unicodePwd, local_ntNewHash.hash);
+		E_md4hash(sambaPassword, local_ntNewHash.hash);
 		ntPwdHash = &local_ntNewHash;
 		CHECK_RET(ldb_msg_add_empty(modify_msg, "ntPwdHash", 
 					    LDB_FLAG_MOD_REPLACE));
@@ -449,7 +449,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
 
 		/* TODO: We may wish to control the encryption types chosen in future */
 		krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context,
-						    salt_principal, unicodePwd, &keys, &num_keys);
+						    salt_principal, sambaPassword, &keys, &num_keys);
 		krb5_free_principal(smb_krb5_context->krb5_context, salt_principal);
 
 		if (krb5_ret) {
@@ -499,14 +499,14 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
 	}
 
 	/* Possibly kill off the cleartext or store it */
-	CHECK_RET(ldb_msg_add_empty(modify_msg, "unicodePwd", LDB_FLAG_MOD_REPLACE));
+	CHECK_RET(ldb_msg_add_empty(modify_msg, "sambaPassword", LDB_FLAG_MOD_REPLACE));
 
-	if (unicodePwd && (pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT) &&
+	if (sambaPassword && (pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT) &&
 	    (userAccountControl & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
-		CHECK_RET(ldb_msg_add_string(modify_msg, "unicodePwd", unicodePwd));
+		CHECK_RET(ldb_msg_add_string(modify_msg, "sambaPassword", sambaPassword));
 	}
 	
-	/* Even if we didn't get a unicodePwd, we can still setup
+	/* Even if we didn't get a sambaPassword, we can still setup
 	 * krb5Key from the NT hash. 
 	 *
 	 * This is an append, so it works with the 'continue' in the
@@ -663,7 +663,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
 	return ret;
 }
 
-/* add_record: do things with the unicodePwd attribute */
+/* add_record: do things with the sambaPassword attribute */
 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
 {
 	const struct ldb_message *msg = req->op.add.message;
@@ -677,7 +677,7 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
 	return password_hash_handle(module, req, msg);
 }
 
-/* modify_record: do things with the unicodePwd attribute */
+/* modify_record: do things with the sambaPassword attribute */
 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
 {
 	const struct ldb_message *msg = req->op.mod.message;
diff --git a/source4/dsdb/samdb/ldb_modules/samba3sam.c b/source4/dsdb/samdb/ldb_modules/samba3sam.c
index 7686d9b3ec..429710c2c5 100644
--- a/source4/dsdb/samdb/ldb_modules/samba3sam.c
+++ b/source4/dsdb/samdb/ldb_modules/samba3sam.c
@@ -812,9 +812,9 @@ const struct ldb_map_attribute samba3_attributes[] =
 		.type = MAP_IGNORE,
 	},
 
-	/* unicodePwd */
+	/* sambaPassword */
 	{
-		.local_name = "unicodePwd",
+		.local_name = "sambaPassword",
 		.type = MAP_IGNORE,
 	},
 
@@ -872,19 +872,6 @@ const struct ldb_map_attribute samba3_attributes[] =
 			},
 		},
 	},
-	
-	/* unicodePwd */
-	{
-		.local_name = "unicodePwd",
-		.type = MAP_GENERATE,
-		.u = {
-			.generate = {
-				.remote_names = { "sambaNTPassword", "sambaLMPassword", NULL },
-				.generate_local = NULL,
-				.generate_remote = generate_hashes
-			},
-		},
-	},
 	{
 		.local_name = NULL,
 	}
diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c
index d07002691f..03c551d2f7 100644
--- a/source4/libnet/libnet_samsync_ldb.c
+++ b/source4/libnet/libnet_samsync_ldb.c
@@ -285,7 +285,7 @@ static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx,
 	/* Passwords.  Ensure there is no plaintext stored against
 	 * this entry, as we only have hashes */
 	samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,  
-				"unicodePwd"); 
+				"sambaPassword"); 
 	if (user->lm_password_present) {
 		samdb_msg_add_hash(state->sam_ldb, mem_ctx, msg,  
 				   "lmPwdHash", &user->lmpassword);
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index d2cec881a5..39c077418f 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -709,11 +709,11 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
 		 * Modules in ldb will set all the appropriate
 		 * hashes */
 		CHECK_RET(samdb_msg_add_string(ctx, mem_ctx, mod, 
-					       "unicodePwd", new_pass));
+					       "sambaPassword", new_pass));
 	} else {
 		/* We don't have the cleartext, so delete the old one
 		 * and set what we have of the hashes */
-		CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "unicodePwd"));
+		CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "sambaPassword"));
 
 		if (lmNewHash) {
 			CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "lmPwdHash", lmNewHash));
diff --git a/source4/setup/provision_init.ldif b/source4/setup/provision_init.ldif
index 99bbc01acf..5746fbfcda 100644
--- a/source4/setup/provision_init.ldif
+++ b/source4/setup/provision_init.ldif
@@ -21,7 +21,7 @@ name: CASE_INSENSITIVE
 dn: CASE_INSENSITIVE
 sAMAccountName: CASE_INSENSITIVE
 objectClass: CASE_INSENSITIVE
-unicodePwd: HIDDEN
+sambaPassword: HIDDEN
 krb5Key: HIDDEN
 ntPwdHash: HIDDEN
 ntPwdHistory: HIDDEN
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index 105dd4a059..ffb0139378 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -15,7 +15,7 @@ adminCount: 1
 accountExpires: -1
 sAMAccountName: Administrator
 isCriticalSystemObject: TRUE
-unicodePwd: ${ADMINPASS}
+sambaPassword: ${ADMINPASS}
 unixName: ${ROOT}
 
 dn: CN=Guest,CN=Users,${BASEDN}
@@ -93,7 +93,7 @@ operatingSystem: Samba
 operatingSystemVersion: 4.0
 dNSHostName: ${DNSNAME}
 isCriticalSystemObject: TRUE
-unicodePwd: ${MACHINEPASS}
+sambaPassword: ${MACHINEPASS}
 servicePrincipalName: HOST/${DNSNAME}
 servicePrincipalName: HOST/${NETBIOSNAME}
 servicePrincipalName: HOST/${DNSNAME}/${REALM}
@@ -269,7 +269,7 @@ sAMAccountName: krbtgt
 sAMAccountType: 805306368
 servicePrincipalName: kadmin/changepw
 isCriticalSystemObject: TRUE
-unicodePwd: ${KRBTGTPASS}
+sambaPassword: ${KRBTGTPASS}
 
 dn: CN=Domain Computers,CN=Users,${BASEDN}
 objectClass: top