diff options
author | Andrew Bartlett <abartlet@samba.org> | 2009-07-14 08:15:50 +1000 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2009-07-16 09:23:35 +1000 |
commit | 271b5af92e9aada36adc648a6dd43a13c5aed340 (patch) | |
tree | a82d7670ea64704670b09feffd83f6db23a1c433 /source4/dsdb/samdb/ldb_modules/password_hash.c | |
parent | ba58edd0bc2d77c6ed1b6a76f33787da9031db5b (diff) | |
download | samba-271b5af92e9aada36adc648a6dd43a13c5aed340.tar.gz samba-271b5af92e9aada36adc648a6dd43a13c5aed340.tar.bz2 samba-271b5af92e9aada36adc648a6dd43a13c5aed340.zip |
s4:dsdb Handle dc/domain/forest functional levels properly
Rather than have the functional levels scattered in 4 different,
unconnected locations, the provision script now sets it, and the
rootdse module maintains it's copy only as a cached view onto the
original values.
We also use the functional level to determine if we should store AES
Kerberos keys.
Andrew Bartlett
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules/password_hash.c')
-rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index a28ca1d568..ef641ac18b 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -1026,6 +1026,7 @@ static int setup_supplemental_field(struct setup_password_fields_io *io) uint8_t zero16[16]; bool do_newer_keys = false; bool do_cleartext = false; + int *domainFunctionality; ZERO_STRUCT(zero16); ZERO_STRUCT(names); @@ -1064,10 +1065,10 @@ static int setup_supplemental_field(struct setup_password_fields_io *io) _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE); } } + /* Per MS-SAMR 3.1.1.8.11.6 we create AES keys if our domain functionality level is 2008 or higher */ + domainFunctionality = talloc_get_type(ldb_get_opaque(ldb, "domainFunctionality"), int); - /* TODO: do the correct check for this, it maybe depends on the functional level? */ - do_newer_keys = lp_parm_bool(ldb_get_opaque(ldb, "loadparm"), - NULL, "password_hash", "create_aes_key", false); + do_newer_keys = *domainFunctionality && (*domainFunctionality >= DS_BEHAVIOR_WIN2008); if (io->domain->store_cleartext && (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { |