r17617: Take Andrew Bartletts excellent advice and don't store

the nt hash directly in the winbindd cache, store a
salted version (MD5 of salt + nt_hash). This is what
we do in the LDAP password history code. We store
this salted cache entry under the same name as an old
entry (CRED/<sid>) but detect it on read by checking
if there are 17 bytes of data after the first stored
hash (1 byte len, 16 bytes hash). GD PLEASE CHECK.
Jeremy.
(This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)

1 files changed, 3 insertions, 2 deletions

diff --git a/source3/nsswitch/winbindd_creds.c b/source3/nsswitch/winbindd_creds.c
index 414dd24af9..75d21353fd 100644
--- a/source3/nsswitch/winbindd_creds.c
+++ b/source3/nsswitch/winbindd_creds.c
@@ -31,12 +31,13 @@ NTSTATUS winbindd_get_creds(struct winbindd_domain *domain,
 			    TALLOC_CTX *mem_ctx,
 			    const DOM_SID *sid,
 			    NET_USER_INFO_3 **info3,
-			    const uint8 *cached_nt_pass[NT_HASH_LEN])
+			    const uint8 *cached_nt_pass[NT_HASH_LEN],
+			    const uint8 *cred_salt[NT_HASH_LEN])
 {
 	NET_USER_INFO_3 *info;
 	NTSTATUS status;
 
-	status = wcache_get_creds(domain, mem_ctx, sid, cached_nt_pass);
+	status = wcache_get_creds(domain, mem_ctx, sid, cached_nt_pass, cred_salt);
 	if (!NT_STATUS_IS_OK(status)) {
 		return status;
 	}