From bd8f63a61747d91452dadaa1667bc30a708fa4d4 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 16 Oct 2006 07:32:22 +0000 Subject: r19321: Merge from release branch: Always set the krb5key from the ntPwdHash, even if we don't have the cleartext password in sambaPassword. This fixes kerberos after a vampire. Andrew Bartlett (This used to be commit 1d4d2271c9b944db3a9a2eba971aec5bcd9cf100) --- source4/dsdb/samdb/ldb_modules/password_hash.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'source4/dsdb/samdb/ldb_modules') diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 6f24c7fa4c..a4862f3820 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -724,12 +724,6 @@ static int password_hash_add_do_add(struct ldb_handle *h) { return ret; } - /* add also kr5 keys based on NT the hash */ - ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context); - if (ret != LDB_SUCCESS) { - return ret; - } - /* if both the domain properties and the user account controls do not permit * clear text passwords then wipe out the sambaPassword */ user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); @@ -740,6 +734,12 @@ static int password_hash_add_do_add(struct ldb_handle *h) { } } + /* add also krb5 keys based on NT the hash (we might have ntPwdHash, but not the cleartext */ + ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context); + if (ret != LDB_SUCCESS) { + return ret; + } + /* don't touch it if a value is set. It could be an incoming samsync */ if (ldb_msg_find_attr_as_uint64(msg, "pwdLastSet", 0) == 0) { if (set_pwdLastSet(ac->module, msg, 0) != LDB_SUCCESS) { -- cgit