summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/dsdb/samdb/ldb_modules/password_hash.c52
-rw-r--r--source4/dsdb/samdb/ldb_modules/samba3sam.c17
-rw-r--r--source4/libnet/libnet_samsync_ldb.c2
-rw-r--r--source4/rpc_server/samr/samr_password.c4
-rw-r--r--source4/setup/provision_init.ldif2
-rw-r--r--source4/setup/provision_users.ldif6
6 files changed, 35 insertions, 48 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index b8554e4885..80017548d2 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -25,7 +25,7 @@
*
* Component: ldb password_hash module
*
- * Description: correctly update hash values based on changes to unicodePwd and friends
+ * Description: correctly update hash values based on changes to sambaPassword and friends
*
* Author: Andrew Bartlett
*/
@@ -46,7 +46,7 @@
/* If we have decided there is reason to work on this request, then
* setup all the password hash types correctly.
*
- * If the administrator doesn't want the unicodePwd stored (set in the
+ * If the administrator doesn't want the sambaPassword stored (set in the
* domain and per-account policies) then we must strip that out before
* we do the first operation.
*
@@ -71,7 +71,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
uint_t pwdProperties, pwdHistoryLength;
uint_t userAccountControl;
const char *dnsDomain, *realm;
- const char *unicodePwd;
+ const char *sambaPassword;
struct samr_Password *lmPwdHistory, *ntPwdHistory;
struct samr_Password *lmPwdHash, *ntPwdHash;
struct samr_Password *lmOldHash = NULL, *ntOldHash = NULL;
@@ -119,10 +119,10 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
/* Do the original action */
- /* If no part of this touches the unicodePwd, then we don't
+ /* If no part of this touches the sambaPassword, then we don't
* need to make any changes. For password changes/set there should
* be a 'delete' or a 'modify' on this attribute. */
- if ((attribute = ldb_msg_find_element(msg, "unicodePwd")) == NULL ) {
+ if ((attribute = ldb_msg_find_element(msg, "sambaPassword")) == NULL ) {
return ldb_next_request(module, req);
}
@@ -155,35 +155,35 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
msg2 = ldb_msg_copy_shallow(mem_ctx, msg);
/* look again, this time at the copied attribute */
- if (!msg2 || (attribute = ldb_msg_find_element(msg2, "unicodePwd")) == NULL ) {
+ if (!msg2 || (attribute = ldb_msg_find_element(msg2, "sambaPassword")) == NULL ) {
/* Gah? where did it go? Oh well... */
return LDB_ERR_OPERATIONS_ERROR;
}
- /* Wipe out the unicodePwd attribute set, we will handle it in
+ /* Wipe out the sambaPassword attribute set, we will handle it in
* the second modify. We might not want it written to disk */
if (req->operation == LDB_REQ_ADD) {
if (attribute->num_values != 1) {
ldb_set_errstring(module,
- talloc_asprintf(mem_ctx, "unicodePwd_handle: "
- "attempted set of multiple unicodePwd attributes on %s rejected",
+ talloc_asprintf(mem_ctx, "sambaPassword_handle: "
+ "attempted set of multiple sambaPassword attributes on %s rejected",
ldb_dn_linearize(mem_ctx, dn)));
return LDB_ERR_CONSTRAINT_VIOLAION;
}
- unicodePwd = (const char *)attribute->values[0].data;
- ldb_msg_remove_attr(msg2, "unicodePwd");
+ sambaPassword = (const char *)attribute->values[0].data;
+ ldb_msg_remove_attr(msg2, "sambaPassword");
} else if (((attribute->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_ADD)
|| ((attribute->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_REPLACE)) {
if (attribute->num_values != 1) {
return LDB_ERR_CONSTRAINT_VIOLAION;
}
- unicodePwd = (const char *)attribute->values[0].data;
- ldb_msg_remove_attr(msg2, "unicodePwd");
+ sambaPassword = (const char *)attribute->values[0].data;
+ ldb_msg_remove_attr(msg2, "sambaPassword");
} else {
- unicodePwd = NULL;
+ sambaPassword = NULL;
}
modified_orig_request = talloc(mem_ctx, struct ldb_request);
@@ -289,11 +289,11 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
if (!objectclasses || !ldb_msg_find_val(objectclasses, &person_val)) {
/* Not a 'person', so the rest of this doesn't make
- * sense. How we got a unicodePwd this far I don't
+ * sense. How we got a sambaPassword this far I don't
* know... */
ldb_set_errstring(module,
talloc_asprintf(mem_ctx, "password_hash_handle: "
- "attempted set of unicodePwd on non-'person' object %s rejected",
+ "attempted set of sambaPassword on non-'person' object %s rejected",
ldb_dn_linearize(mem_ctx, dn)));
talloc_free(mem_ctx);
return LDB_ERR_CONSTRAINT_VIOLAION;
@@ -360,7 +360,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
CHECK_RET(ldb_msg_add_empty(modify_msg, "krb5Key", LDB_FLAG_MOD_REPLACE));
/* Yay, we can compute new password hashes from the unicode
* password */
- if (unicodePwd) {
+ if (sambaPassword) {
Principal *salt_principal;
const char *user_principal_name = ldb_msg_find_string(res->msgs[0], "userPrincipalName", NULL);
@@ -368,12 +368,12 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
size_t num_keys;
/* compute the new nt and lm hashes */
- if (E_deshash(unicodePwd, local_lmNewHash.hash)) {
+ if (E_deshash(sambaPassword, local_lmNewHash.hash)) {
lmPwdHash = &local_lmNewHash;
} else {
lmPwdHash = NULL;
}
- E_md4hash(unicodePwd, local_ntNewHash.hash);
+ E_md4hash(sambaPassword, local_ntNewHash.hash);
ntPwdHash = &local_ntNewHash;
CHECK_RET(ldb_msg_add_empty(modify_msg, "ntPwdHash",
LDB_FLAG_MOD_REPLACE));
@@ -449,7 +449,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
/* TODO: We may wish to control the encryption types chosen in future */
krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context,
- salt_principal, unicodePwd, &keys, &num_keys);
+ salt_principal, sambaPassword, &keys, &num_keys);
krb5_free_principal(smb_krb5_context->krb5_context, salt_principal);
if (krb5_ret) {
@@ -499,14 +499,14 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
}
/* Possibly kill off the cleartext or store it */
- CHECK_RET(ldb_msg_add_empty(modify_msg, "unicodePwd", LDB_FLAG_MOD_REPLACE));
+ CHECK_RET(ldb_msg_add_empty(modify_msg, "sambaPassword", LDB_FLAG_MOD_REPLACE));
- if (unicodePwd && (pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT) &&
+ if (sambaPassword && (pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT) &&
(userAccountControl & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
- CHECK_RET(ldb_msg_add_string(modify_msg, "unicodePwd", unicodePwd));
+ CHECK_RET(ldb_msg_add_string(modify_msg, "sambaPassword", sambaPassword));
}
- /* Even if we didn't get a unicodePwd, we can still setup
+ /* Even if we didn't get a sambaPassword, we can still setup
* krb5Key from the NT hash.
*
* This is an append, so it works with the 'continue' in the
@@ -663,7 +663,7 @@ static int password_hash_handle(struct ldb_module *module, struct ldb_request *r
return ret;
}
-/* add_record: do things with the unicodePwd attribute */
+/* add_record: do things with the sambaPassword attribute */
static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
{
const struct ldb_message *msg = req->op.add.message;
@@ -677,7 +677,7 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
return password_hash_handle(module, req, msg);
}
-/* modify_record: do things with the unicodePwd attribute */
+/* modify_record: do things with the sambaPassword attribute */
static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
{
const struct ldb_message *msg = req->op.mod.message;
diff --git a/source4/dsdb/samdb/ldb_modules/samba3sam.c b/source4/dsdb/samdb/ldb_modules/samba3sam.c
index 7686d9b3ec..429710c2c5 100644
--- a/source4/dsdb/samdb/ldb_modules/samba3sam.c
+++ b/source4/dsdb/samdb/ldb_modules/samba3sam.c
@@ -812,9 +812,9 @@ const struct ldb_map_attribute samba3_attributes[] =
.type = MAP_IGNORE,
},
- /* unicodePwd */
+ /* sambaPassword */
{
- .local_name = "unicodePwd",
+ .local_name = "sambaPassword",
.type = MAP_IGNORE,
},
@@ -872,19 +872,6 @@ const struct ldb_map_attribute samba3_attributes[] =
},
},
},
-
- /* unicodePwd */
- {
- .local_name = "unicodePwd",
- .type = MAP_GENERATE,
- .u = {
- .generate = {
- .remote_names = { "sambaNTPassword", "sambaLMPassword", NULL },
- .generate_local = NULL,
- .generate_remote = generate_hashes
- },
- },
- },
{
.local_name = NULL,
}
diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c
index d07002691f..03c551d2f7 100644
--- a/source4/libnet/libnet_samsync_ldb.c
+++ b/source4/libnet/libnet_samsync_ldb.c
@@ -285,7 +285,7 @@ static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx,
/* Passwords. Ensure there is no plaintext stored against
* this entry, as we only have hashes */
samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg,
- "unicodePwd");
+ "sambaPassword");
if (user->lm_password_present) {
samdb_msg_add_hash(state->sam_ldb, mem_ctx, msg,
"lmPwdHash", &user->lmpassword);
diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index d2cec881a5..39c077418f 100644
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -709,11 +709,11 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx,
* Modules in ldb will set all the appropriate
* hashes */
CHECK_RET(samdb_msg_add_string(ctx, mem_ctx, mod,
- "unicodePwd", new_pass));
+ "sambaPassword", new_pass));
} else {
/* We don't have the cleartext, so delete the old one
* and set what we have of the hashes */
- CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "unicodePwd"));
+ CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "sambaPassword"));
if (lmNewHash) {
CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "lmPwdHash", lmNewHash));
diff --git a/source4/setup/provision_init.ldif b/source4/setup/provision_init.ldif
index 99bbc01acf..5746fbfcda 100644
--- a/source4/setup/provision_init.ldif
+++ b/source4/setup/provision_init.ldif
@@ -21,7 +21,7 @@ name: CASE_INSENSITIVE
dn: CASE_INSENSITIVE
sAMAccountName: CASE_INSENSITIVE
objectClass: CASE_INSENSITIVE
-unicodePwd: HIDDEN
+sambaPassword: HIDDEN
krb5Key: HIDDEN
ntPwdHash: HIDDEN
ntPwdHistory: HIDDEN
diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif
index 105dd4a059..ffb0139378 100644
--- a/source4/setup/provision_users.ldif
+++ b/source4/setup/provision_users.ldif
@@ -15,7 +15,7 @@ adminCount: 1
accountExpires: -1
sAMAccountName: Administrator
isCriticalSystemObject: TRUE
-unicodePwd: ${ADMINPASS}
+sambaPassword: ${ADMINPASS}
unixName: ${ROOT}
dn: CN=Guest,CN=Users,${BASEDN}
@@ -93,7 +93,7 @@ operatingSystem: Samba
operatingSystemVersion: 4.0
dNSHostName: ${DNSNAME}
isCriticalSystemObject: TRUE
-unicodePwd: ${MACHINEPASS}
+sambaPassword: ${MACHINEPASS}
servicePrincipalName: HOST/${DNSNAME}
servicePrincipalName: HOST/${NETBIOSNAME}
servicePrincipalName: HOST/${DNSNAME}/${REALM}
@@ -269,7 +269,7 @@ sAMAccountName: krbtgt
sAMAccountType: 805306368
servicePrincipalName: kadmin/changepw
isCriticalSystemObject: TRUE
-unicodePwd: ${KRBTGTPASS}
+sambaPassword: ${KRBTGTPASS}
dn: CN=Domain Computers,CN=Users,${BASEDN}
objectClass: top