summaryrefslogtreecommitdiff
path: root/source4/dsdb/samdb
diff options
context:
space:
mode:
Diffstat (limited to 'source4/dsdb/samdb')
-rw-r--r--source4/dsdb/samdb/ldb_modules/entryUUID.c9
-rw-r--r--source4/dsdb/samdb/ldb_modules/password_hash.c17
2 files changed, 21 insertions, 5 deletions
diff --git a/source4/dsdb/samdb/ldb_modules/entryUUID.c b/source4/dsdb/samdb/ldb_modules/entryUUID.c
index 06e5384cff..d6f4b10d76 100644
--- a/source4/dsdb/samdb/ldb_modules/entryUUID.c
+++ b/source4/dsdb/samdb/ldb_modules/entryUUID.c
@@ -215,6 +215,15 @@ const struct ldb_map_attribute entryUUID_attributes[] =
}
},
{
+ .local_name = "sambaPassword",
+ .type = MAP_RENAME,
+ .u = {
+ .rename = {
+ .remote_name = "userPassword"
+ }
+ }
+ },
+ {
.local_name = "allowedChildClassesEffective",
.type = MAP_CONVERT,
.u = {
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 9bdb9aa0cc..d8ef9176fd 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -88,6 +88,7 @@ struct ph_context {
};
struct domain_data {
+ BOOL store_cleartext;
uint_t pwdProperties;
uint_t pwdHistoryLength;
char *dns_domain;
@@ -535,7 +536,8 @@ static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx,
return NULL;
}
- data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0);
+ data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0);
+ data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
/* For a domain DN, this puts things in dotted notation */
@@ -692,6 +694,7 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
/* if we have sambaPassword in the original message add the operatio on it here */
sambaAttr = ldb_msg_find_element(msg, "sambaPassword");
if (sambaAttr) {
+ unsigned int user_account_control;
ret = add_password_hashes(ac->module, msg, 0);
/* we can compute new password hashes from the unicode password */
if (ret != LDB_SUCCESS) {
@@ -715,8 +718,10 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
/* if both the domain properties and the user account controls do not permit
* clear text passwords then wipe out the sambaPassword */
- if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
- (!(ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
+ user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+ if (domain->store_cleartext && (user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
+ /* Keep sambaPassword attribute */
+ } else {
ldb_msg_remove_attr(msg, "sambaPassword");
}
}
@@ -1022,8 +1027,10 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) {
/* if the domain properties or the user account controls do not permit
* clear text passwords then wipe out the sambaPassword */
- if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
- (!(ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
+ if (domain->store_cleartext &&
+ (ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
+ /* Keep sambaPassword attribute */
+ } else {
ldb_msg_remove_attr(msg, "sambaPassword");
}