diff options
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/password_hash.c | 52 | ||||
| -rw-r--r-- | source4/dsdb/samdb/ldb_modules/samba3sam.c | 17 | ||||
| -rw-r--r-- | source4/libnet/libnet_samsync_ldb.c | 2 | ||||
| -rw-r--r-- | source4/rpc_server/samr/samr_password.c | 4 | ||||
| -rw-r--r-- | source4/setup/provision_init.ldif | 2 | ||||
| -rw-r--r-- | source4/setup/provision_users.ldif | 6 |
6 files changed, 35 insertions, 48 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index b8554e4885..80017548d2 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -25,7 +25,7 @@ * * Component: ldb password_hash module * - * Description: correctly update hash values based on changes to unicodePwd and friends + * Description: correctly update hash values based on changes to sambaPassword and friends * * Author: Andrew Bartlett */ @@ -46,7 +46,7 @@ /* If we have decided there is reason to work on this request, then * setup all the password hash types correctly. * - * If the administrator doesn't want the unicodePwd stored (set in the + * If the administrator doesn't want the sambaPassword stored (set in the * domain and per-account policies) then we must strip that out before * we do the first operation. * @@ -71,7 +71,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r uint_t pwdProperties, pwdHistoryLength; uint_t userAccountControl; const char *dnsDomain, *realm; - const char *unicodePwd; + const char *sambaPassword; struct samr_Password *lmPwdHistory, *ntPwdHistory; struct samr_Password *lmPwdHash, *ntPwdHash; struct samr_Password *lmOldHash = NULL, *ntOldHash = NULL; @@ -119,10 +119,10 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r /* Do the original action */ - /* If no part of this touches the unicodePwd, then we don't + /* If no part of this touches the sambaPassword, then we don't * need to make any changes. For password changes/set there should * be a 'delete' or a 'modify' on this attribute. */ - if ((attribute = ldb_msg_find_element(msg, "unicodePwd")) == NULL ) { + if ((attribute = ldb_msg_find_element(msg, "sambaPassword")) == NULL ) { return ldb_next_request(module, req); } @@ -155,35 +155,35 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r msg2 = ldb_msg_copy_shallow(mem_ctx, msg); /* look again, this time at the copied attribute */ - if (!msg2 || (attribute = ldb_msg_find_element(msg2, "unicodePwd")) == NULL ) { + if (!msg2 || (attribute = ldb_msg_find_element(msg2, "sambaPassword")) == NULL ) { /* Gah? where did it go? Oh well... */ return LDB_ERR_OPERATIONS_ERROR; } - /* Wipe out the unicodePwd attribute set, we will handle it in + /* Wipe out the sambaPassword attribute set, we will handle it in * the second modify. We might not want it written to disk */ if (req->operation == LDB_REQ_ADD) { if (attribute->num_values != 1) { ldb_set_errstring(module, - talloc_asprintf(mem_ctx, "unicodePwd_handle: " - "attempted set of multiple unicodePwd attributes on %s rejected", + talloc_asprintf(mem_ctx, "sambaPassword_handle: " + "attempted set of multiple sambaPassword attributes on %s rejected", ldb_dn_linearize(mem_ctx, dn))); return LDB_ERR_CONSTRAINT_VIOLAION; } - unicodePwd = (const char *)attribute->values[0].data; - ldb_msg_remove_attr(msg2, "unicodePwd"); + sambaPassword = (const char *)attribute->values[0].data; + ldb_msg_remove_attr(msg2, "sambaPassword"); } else if (((attribute->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_ADD) || ((attribute->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_REPLACE)) { if (attribute->num_values != 1) { return LDB_ERR_CONSTRAINT_VIOLAION; } - unicodePwd = (const char *)attribute->values[0].data; - ldb_msg_remove_attr(msg2, "unicodePwd"); + sambaPassword = (const char *)attribute->values[0].data; + ldb_msg_remove_attr(msg2, "sambaPassword"); } else { - unicodePwd = NULL; + sambaPassword = NULL; } modified_orig_request = talloc(mem_ctx, struct ldb_request); @@ -289,11 +289,11 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r if (!objectclasses || !ldb_msg_find_val(objectclasses, &person_val)) { /* Not a 'person', so the rest of this doesn't make - * sense. How we got a unicodePwd this far I don't + * sense. How we got a sambaPassword this far I don't * know... */ ldb_set_errstring(module, talloc_asprintf(mem_ctx, "password_hash_handle: " - "attempted set of unicodePwd on non-'person' object %s rejected", + "attempted set of sambaPassword on non-'person' object %s rejected", ldb_dn_linearize(mem_ctx, dn))); talloc_free(mem_ctx); return LDB_ERR_CONSTRAINT_VIOLAION; @@ -360,7 +360,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r CHECK_RET(ldb_msg_add_empty(modify_msg, "krb5Key", LDB_FLAG_MOD_REPLACE)); /* Yay, we can compute new password hashes from the unicode * password */ - if (unicodePwd) { + if (sambaPassword) { Principal *salt_principal; const char *user_principal_name = ldb_msg_find_string(res->msgs[0], "userPrincipalName", NULL); @@ -368,12 +368,12 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r size_t num_keys; /* compute the new nt and lm hashes */ - if (E_deshash(unicodePwd, local_lmNewHash.hash)) { + if (E_deshash(sambaPassword, local_lmNewHash.hash)) { lmPwdHash = &local_lmNewHash; } else { lmPwdHash = NULL; } - E_md4hash(unicodePwd, local_ntNewHash.hash); + E_md4hash(sambaPassword, local_ntNewHash.hash); ntPwdHash = &local_ntNewHash; CHECK_RET(ldb_msg_add_empty(modify_msg, "ntPwdHash", LDB_FLAG_MOD_REPLACE)); @@ -449,7 +449,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r /* TODO: We may wish to control the encryption types chosen in future */ krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context, - salt_principal, unicodePwd, &keys, &num_keys); + salt_principal, sambaPassword, &keys, &num_keys); krb5_free_principal(smb_krb5_context->krb5_context, salt_principal); if (krb5_ret) { @@ -499,14 +499,14 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r } /* Possibly kill off the cleartext or store it */ - CHECK_RET(ldb_msg_add_empty(modify_msg, "unicodePwd", LDB_FLAG_MOD_REPLACE)); + CHECK_RET(ldb_msg_add_empty(modify_msg, "sambaPassword", LDB_FLAG_MOD_REPLACE)); - if (unicodePwd && (pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT) && + if (sambaPassword && (pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT) && (userAccountControl & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) { - CHECK_RET(ldb_msg_add_string(modify_msg, "unicodePwd", unicodePwd)); + CHECK_RET(ldb_msg_add_string(modify_msg, "sambaPassword", sambaPassword)); } - /* Even if we didn't get a unicodePwd, we can still setup + /* Even if we didn't get a sambaPassword, we can still setup * krb5Key from the NT hash. * * This is an append, so it works with the 'continue' in the @@ -663,7 +663,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r return ret; } -/* add_record: do things with the unicodePwd attribute */ +/* add_record: do things with the sambaPassword attribute */ static int password_hash_add(struct ldb_module *module, struct ldb_request *req) { const struct ldb_message *msg = req->op.add.message; @@ -677,7 +677,7 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req) return password_hash_handle(module, req, msg); } -/* modify_record: do things with the unicodePwd attribute */ +/* modify_record: do things with the sambaPassword attribute */ static int password_hash_modify(struct ldb_module *module, struct ldb_request *req) { const struct ldb_message *msg = req->op.mod.message; diff --git a/source4/dsdb/samdb/ldb_modules/samba3sam.c b/source4/dsdb/samdb/ldb_modules/samba3sam.c index 7686d9b3ec..429710c2c5 100644 --- a/source4/dsdb/samdb/ldb_modules/samba3sam.c +++ b/source4/dsdb/samdb/ldb_modules/samba3sam.c @@ -812,9 +812,9 @@ const struct ldb_map_attribute samba3_attributes[] = .type = MAP_IGNORE, }, - /* unicodePwd */ + /* sambaPassword */ { - .local_name = "unicodePwd", + .local_name = "sambaPassword", .type = MAP_IGNORE, }, @@ -872,19 +872,6 @@ const struct ldb_map_attribute samba3_attributes[] = }, }, }, - - /* unicodePwd */ - { - .local_name = "unicodePwd", - .type = MAP_GENERATE, - .u = { - .generate = { - .remote_names = { "sambaNTPassword", "sambaLMPassword", NULL }, - .generate_local = NULL, - .generate_remote = generate_hashes - }, - }, - }, { .local_name = NULL, } diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c index d07002691f..03c551d2f7 100644 --- a/source4/libnet/libnet_samsync_ldb.c +++ b/source4/libnet/libnet_samsync_ldb.c @@ -285,7 +285,7 @@ static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx, /* Passwords. Ensure there is no plaintext stored against * this entry, as we only have hashes */ samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg, - "unicodePwd"); + "sambaPassword"); if (user->lm_password_present) { samdb_msg_add_hash(state->sam_ldb, mem_ctx, msg, "lmPwdHash", &user->lmpassword); diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c index d2cec881a5..39c077418f 100644 --- a/source4/rpc_server/samr/samr_password.c +++ b/source4/rpc_server/samr/samr_password.c @@ -709,11 +709,11 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, * Modules in ldb will set all the appropriate * hashes */ CHECK_RET(samdb_msg_add_string(ctx, mem_ctx, mod, - "unicodePwd", new_pass)); + "sambaPassword", new_pass)); } else { /* We don't have the cleartext, so delete the old one * and set what we have of the hashes */ - CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "unicodePwd")); + CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "sambaPassword")); if (lmNewHash) { CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "lmPwdHash", lmNewHash)); diff --git a/source4/setup/provision_init.ldif b/source4/setup/provision_init.ldif index 99bbc01acf..5746fbfcda 100644 --- a/source4/setup/provision_init.ldif +++ b/source4/setup/provision_init.ldif @@ -21,7 +21,7 @@ name: CASE_INSENSITIVE dn: CASE_INSENSITIVE sAMAccountName: CASE_INSENSITIVE objectClass: CASE_INSENSITIVE -unicodePwd: HIDDEN +sambaPassword: HIDDEN krb5Key: HIDDEN ntPwdHash: HIDDEN ntPwdHistory: HIDDEN diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index 105dd4a059..ffb0139378 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -15,7 +15,7 @@ adminCount: 1 accountExpires: -1 sAMAccountName: Administrator isCriticalSystemObject: TRUE -unicodePwd: ${ADMINPASS} +sambaPassword: ${ADMINPASS} unixName: ${ROOT} dn: CN=Guest,CN=Users,${BASEDN} @@ -93,7 +93,7 @@ operatingSystem: Samba operatingSystemVersion: 4.0 dNSHostName: ${DNSNAME} isCriticalSystemObject: TRUE -unicodePwd: ${MACHINEPASS} +sambaPassword: ${MACHINEPASS} servicePrincipalName: HOST/${DNSNAME} servicePrincipalName: HOST/${NETBIOSNAME} servicePrincipalName: HOST/${DNSNAME}/${REALM} @@ -269,7 +269,7 @@ sAMAccountName: krbtgt sAMAccountType: 805306368 servicePrincipalName: kadmin/changepw isCriticalSystemObject: TRUE -unicodePwd: ${KRBTGTPASS} +sambaPassword: ${KRBTGTPASS} dn: CN=Domain Computers,CN=Users,${BASEDN} objectClass: top |