summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb/ldb_modules
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-10-16 07:32:22 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 14:21:08 -0500
commitbd8f63a61747d91452dadaa1667bc30a708fa4d4 (patch)
tree7f1f435f151d7fd82c002b6a0b46a000b6f0be61 /source4/dsdb/samdb/ldb_modules
parent8afbf3a0ef63dfc5553e7de8dc498685d8fd2bc7 (diff)
downloadsamba-bd8f63a61747d91452dadaa1667bc30a708fa4d4.tar.gz
samba-bd8f63a61747d91452dadaa1667bc30a708fa4d4.tar.bz2
samba-bd8f63a61747d91452dadaa1667bc30a708fa4d4.zip
r19321: Merge from release branch:
Always set the krb5key from the ntPwdHash, even if we don't have the cleartext password in sambaPassword. This fixes kerberos after a vampire. Andrew Bartlett (This used to be commit 1d4d2271c9b944db3a9a2eba971aec5bcd9cf100)
Diffstat (limited to 'source4/dsdb/samdb/ldb_modules')
-rw-r--r--source4/dsdb/samdb/ldb_modules/password_hash.c12
1 files changed, 6 insertions, 6 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 6f24c7fa4c..a4862f3820 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -724,12 +724,6 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
return ret;
}
- /* add also kr5 keys based on NT the hash */
- ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context);
- if (ret != LDB_SUCCESS) {
- return ret;
- }
-
/* if both the domain properties and the user account controls do not permit
* clear text passwords then wipe out the sambaPassword */
user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
@@ -740,6 +734,12 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
}
}
+ /* add also krb5 keys based on NT the hash (we might have ntPwdHash, but not the cleartext */
+ ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context);
+ if (ret != LDB_SUCCESS) {
+ return ret;
+ }
+
/* don't touch it if a value is set. It could be an incoming samsync */
if (ldb_msg_find_attr_as_uint64(msg, "pwdLastSet", 0) == 0) {
if (set_pwdLastSet(ac->module, msg, 0) != LDB_SUCCESS) {