From 44ea6a26fd088f0f8c86817510ebe5a6cddf9158 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Sat, 12 Jul 2008 15:26:42 +1000 Subject: rename sambaPassword -> userPassword. This attribute is used in a very similar way (virtual attribute updating the password) in AD on Win2003, so eliminate the difference. This should not cause a problem for on-disk passwords, as by default we do not store the plaintext at all. Andrew Bartlett (This used to be commit 1cf0d751493b709ef6b2234ec8847a7499f48ab3) --- source4/dsdb/common/util.c | 4 +-- source4/dsdb/samdb/ldb_modules/kludge_acl.c | 2 +- source4/dsdb/samdb/ldb_modules/local_password.c | 6 ++--- source4/dsdb/samdb/ldb_modules/password_hash.c | 32 ++++++++++++------------ source4/dsdb/samdb/ldb_modules/samba3sam.c | 4 +-- source4/dsdb/samdb/ldb_modules/simple_ldap_map.c | 18 ------------- source4/libnet/libnet_samsync_ldb.c | 2 +- source4/scripting/python/samba/samdb.py | 6 ++--- source4/setup/provision_init.ldif | 4 +-- source4/setup/provision_self_join.ldif | 4 +-- source4/setup/provision_users.ldif | 4 +-- source4/setup/schema-map-fedora-ds-1.0 | 2 -- source4/setup/schema-map-openldap-2.3 | 2 -- source4/setup/schema_samba4.ldif | 27 +++++++++++--------- 14 files changed, 49 insertions(+), 68 deletions(-) (limited to 'source4') diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index a571ae1f79..fa8276e7b4 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -1741,11 +1741,11 @@ NTSTATUS samdb_set_password(struct ldb_context *ctx, TALLOC_CTX *mem_ctx, * Modules in ldb will set all the appropriate * hashes */ CHECK_RET(samdb_msg_add_string(ctx, mem_ctx, mod, - "sambaPassword", new_pass)); + "userPassword", new_pass)); } else { /* We don't have the cleartext, so delete the old one * and set what we have of the hashes */ - CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "sambaPassword")); + CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "userPassword")); if (lmNewHash) { CHECK_RET(samdb_msg_add_hash(ctx, mem_ctx, mod, "dBCSPwd", lmNewHash)); diff --git a/source4/dsdb/samdb/ldb_modules/kludge_acl.c b/source4/dsdb/samdb/ldb_modules/kludge_acl.c index bc30fbc36d..2c01594722 100644 --- a/source4/dsdb/samdb/ldb_modules/kludge_acl.c +++ b/source4/dsdb/samdb/ldb_modules/kludge_acl.c @@ -321,7 +321,7 @@ static int kludge_acl_search(struct ldb_module *module, struct ldb_request *req) /* FIXME: I hink we should copy the tree and keep the original * unmodified. SSS */ /* replace any attributes in the parse tree that are private, - so we don't allow a search for 'sambaPassword=penguin', + so we don't allow a search for 'userPassword=penguin', just as we would not allow that attribute to be returned */ switch (ac->user_type) { case SECURITY_SYSTEM: diff --git a/source4/dsdb/samdb/ldb_modules/local_password.c b/source4/dsdb/samdb/ldb_modules/local_password.c index dfa98ef0af..a411c01513 100644 --- a/source4/dsdb/samdb/ldb_modules/local_password.c +++ b/source4/dsdb/samdb/ldb_modules/local_password.c @@ -24,7 +24,7 @@ * * Component: ldb local_password module * - * Description: correctly update hash values based on changes to sambaPassword and friends + * Description: correctly update hash values based on changes to userPassword and friends * * Author: Andrew Bartlett */ @@ -154,7 +154,7 @@ static int local_password_add(struct ldb_module *module, struct ldb_request *req return ldb_next_request(module, req); } - /* TODO: remove this when sambaPassword will be in schema */ + /* TODO: remove this when userPassword will be in schema */ if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) { ldb_asprintf_errstring(module->ldb, "Cannot relocate a password on entry: %s, does not have objectClass 'person'", @@ -417,7 +417,7 @@ static int local_password_mod_local(struct ldb_handle *h) { ac = talloc_get_type(h->private_data, struct lpdb_context); /* if it is not an entry of type person this is an error */ - /* TODO: remove this when sambaPassword will be in schema */ + /* TODO: remove this when these things are checked in the schema */ if (!ac->search_res) { ldb_asprintf_errstring(ac->module->ldb, "entry just modified (%s) not found!", diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 1d2bdd988e..3e442b6341 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -25,7 +25,7 @@ * * Component: ldb password_hash module * - * Description: correctly update hash values based on changes to sambaPassword and friends + * Description: correctly update hash values based on changes to userPassword and friends * * Author: Andrew Bartlett * Author: Stefan Metzmacher @@ -54,7 +54,7 @@ /* If we have decided there is reason to work on this request, then * setup all the password hash types correctly. * - * If the administrator doesn't want the sambaPassword stored (set in the + * If the administrator doesn't want the userPassword stored (set in the * domain and per-account policies) then we must strip that out before * we do the first operation. * @@ -1341,10 +1341,10 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req) return LDB_ERR_UNWILLING_TO_PERFORM; } - /* If no part of this ADD touches the sambaPassword, or the NT + /* If no part of this ADD touches the userPassword, or the NT * or LM hashes, then we don't need to make any changes. */ - sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword"); + sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword"); ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd"); lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd"); @@ -1353,16 +1353,16 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req) } /* if it is not an entry of type person its an error */ - /* TODO: remove this when sambaPassword will be in schema */ + /* TODO: remove this when userPassword will be in schema */ if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) { ldb_set_errstring(module->ldb, "Cannot set a password on entry that does not have objectClass 'person'"); return LDB_ERR_OBJECT_CLASS_VIOLATION; } - /* check sambaPassword is single valued here */ - /* TODO: remove this when sambaPassword will be single valued in schema */ + /* check userPassword is single valued here */ + /* TODO: remove this when userPassword will be single valued in schema */ if (sambaAttr && sambaAttr->num_values > 1) { - ldb_set_errstring(module->ldb, "mupltiple values for sambaPassword not allowed!\n"); + ldb_set_errstring(module->ldb, "mupltiple values for userPassword not allowed!\n"); return LDB_ERR_CONSTRAINT_VIOLATION; } @@ -1376,7 +1376,7 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req) } if (sambaAttr && sambaAttr->num_values == 0) { - ldb_set_errstring(module->ldb, "sambaPassword must have a value!\n"); + ldb_set_errstring(module->ldb, "userPassword must have a value!\n"); return LDB_ERR_CONSTRAINT_VIOLATION; } @@ -1459,12 +1459,12 @@ static int password_hash_add_do_add(struct ldb_handle *h) { io.u.user_principal_name = samdb_result_string(msg, "userPrincipalName", NULL); io.u.is_computer = ldb_msg_check_string_attribute(msg, "objectClass", "computer"); - io.n.cleartext = samdb_result_string(msg, "sambaPassword", NULL); + io.n.cleartext = samdb_result_string(msg, "userPassword", NULL); io.n.nt_hash = samdb_result_hash(io.ac, msg, "unicodePwd"); io.n.lm_hash = samdb_result_hash(io.ac, msg, "dBCSPwd"); /* remove attributes */ - if (io.n.cleartext) ldb_msg_remove_attr(msg, "sambaPassword"); + if (io.n.cleartext) ldb_msg_remove_attr(msg, "userPassword"); if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd"); if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd"); ldb_msg_remove_attr(msg, "pwdLastSet"); @@ -1573,11 +1573,11 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r return LDB_ERR_UNWILLING_TO_PERFORM; } - sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword"); + sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword"); ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd"); lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd"); - /* If no part of this touches the sambaPassword OR unicodePwd and/or dBCSPwd, then we don't + /* If no part of this touches the userPassword OR unicodePwd and/or dBCSPwd, then we don't * need to make any changes. For password changes/set there should * be a 'delete' or a 'modify' on this attribute. */ if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) { @@ -1619,7 +1619,7 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r /* - remove any imodification to the password from the first commit * we will make the real modification later */ - if (sambaAttr) ldb_msg_remove_attr(msg, "sambaPassword"); + if (sambaAttr) ldb_msg_remove_attr(msg, "userPassword"); if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd"); if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd"); @@ -1655,7 +1655,7 @@ static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_ } /* if it is not an entry of type person this is an error */ - /* TODO: remove this when sambaPassword will be in schema */ + /* TODO: remove this when userPassword will be in schema */ if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) { ldb_set_errstring(ldb, "Object class violation"); talloc_free(ares); @@ -1790,7 +1790,7 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) { io.u.user_principal_name = samdb_result_string(searched_msg, "userPrincipalName", NULL); io.u.is_computer = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer"); - io.n.cleartext = samdb_result_string(orig_msg, "sambaPassword", NULL); + io.n.cleartext = samdb_result_string(orig_msg, "userPassword", NULL); io.n.nt_hash = samdb_result_hash(io.ac, orig_msg, "unicodePwd"); io.n.lm_hash = samdb_result_hash(io.ac, orig_msg, "dBCSPwd"); diff --git a/source4/dsdb/samdb/ldb_modules/samba3sam.c b/source4/dsdb/samdb/ldb_modules/samba3sam.c index 88b04b1bb6..7a123c818f 100644 --- a/source4/dsdb/samdb/ldb_modules/samba3sam.c +++ b/source4/dsdb/samdb/ldb_modules/samba3sam.c @@ -848,9 +848,9 @@ const struct ldb_map_attribute samba3_attributes[] = .type = MAP_IGNORE, }, - /* sambaPassword */ + /* userPassword */ { - .local_name = "sambaPassword", + .local_name = "userPassword", .type = MAP_IGNORE, }, diff --git a/source4/dsdb/samdb/ldb_modules/simple_ldap_map.c b/source4/dsdb/samdb/ldb_modules/simple_ldap_map.c index e5541ea255..05f11003c4 100644 --- a/source4/dsdb/samdb/ldb_modules/simple_ldap_map.c +++ b/source4/dsdb/samdb/ldb_modules/simple_ldap_map.c @@ -354,15 +354,6 @@ static const struct ldb_map_attribute entryuuid_attributes[] = } } }, - { - .local_name = "sambaPassword", - .type = MAP_RENAME, - .u = { - .rename = { - .remote_name = "userPassword" - } - } - }, { .local_name = "objectCategory", .type = MAP_CONVERT, @@ -504,15 +495,6 @@ static const struct ldb_map_attribute nsuniqueid_attributes[] = } } }, - { - .local_name = "sambaPassword", - .type = MAP_RENAME, - .u = { - .rename = { - .remote_name = "userPassword" - } - } - }, { .local_name = "objectCategory", .type = MAP_CONVERT, diff --git a/source4/libnet/libnet_samsync_ldb.c b/source4/libnet/libnet_samsync_ldb.c index 85e5dea2d7..a79bf043a5 100644 --- a/source4/libnet/libnet_samsync_ldb.c +++ b/source4/libnet/libnet_samsync_ldb.c @@ -366,7 +366,7 @@ static NTSTATUS samsync_ldb_handle_user(TALLOC_CTX *mem_ctx, /* Passwords. Ensure there is no plaintext stored against * this entry, as we only have hashes */ samdb_msg_add_delete(state->sam_ldb, mem_ctx, msg, - "sambaPassword"); + "userPassword"); } if (user->lm_password_present) { samdb_msg_add_hash(state->sam_ldb, mem_ctx, msg, diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py index 6465f49519..c47cf4a0dc 100644 --- a/source4/scripting/python/samba/samdb.py +++ b/source4/scripting/python/samba/samdb.py @@ -112,7 +112,7 @@ userAccountControl: %u # now the real work self.add({"dn": user_dn, "sAMAccountName": username, - "sambaPassword": password, + "userPassword": password, "objectClass": "user"}) res = self.search(user_dn, scope=ldb.SCOPE_BASE, @@ -163,8 +163,8 @@ userAccountControl: %u setpw = """ dn: %s changetype: modify -replace: sambaPassword -sambaPassword: %s +replace: userPassword +userPassword: %s """ % (user_dn, password) self.modify_ldif(setpw) diff --git a/source4/setup/provision_init.ldif b/source4/setup/provision_init.ldif index c922fa0bd2..65a12f1afa 100644 --- a/source4/setup/provision_init.ldif +++ b/source4/setup/provision_init.ldif @@ -10,7 +10,7 @@ name: CASE_INSENSITIVE dn: CASE_INSENSITIVE sAMAccountName: CASE_INSENSITIVE objectClass: CASE_INSENSITIVE -sambaPassword: HIDDEN +userPassword: HIDDEN krb5Key: HIDDEN ntPwdHash: HIDDEN sambaNTPwdHistory: HIDDEN @@ -27,7 +27,7 @@ dn: @OPTIONS checkBaseOnSearch: TRUE dn: @KLUDGEACL -passwordAttribute: sambaPassword +passwordAttribute: userPassword passwordAttribute: ntPwdHash passwordAttribute: sambaNTPwdHistory passwordAttribute: lmPwdHash diff --git a/source4/setup/provision_self_join.ldif b/source4/setup/provision_self_join.ldif index c91e2f4c19..77a2e49865 100644 --- a/source4/setup/provision_self_join.ldif +++ b/source4/setup/provision_self_join.ldif @@ -12,7 +12,7 @@ operatingSystem: Samba operatingSystemVersion: 4.0 dNSHostName: ${DNSNAME} isCriticalSystemObject: TRUE -sambaPassword:: ${MACHINEPASS_B64} +userPassword:: ${MACHINEPASS_B64} servicePrincipalName: HOST/${DNSNAME} servicePrincipalName: HOST/${NETBIOSNAME} servicePrincipalName: HOST/${DNSNAME}/${REALM} @@ -33,7 +33,7 @@ accountExpires: 9223372036854775807 sAMAccountName: dns servicePrincipalName: DNS/${DNSDOMAIN} isCriticalSystemObject: TRUE -sambaPassword:: ${DNSPASS_B64} +userPassword:: ${DNSPASS_B64} showInAdvancedViewOnly: TRUE dn: ${SERVERDN} diff --git a/source4/setup/provision_users.ldif b/source4/setup/provision_users.ldif index 5a24e07492..641247cf22 100644 --- a/source4/setup/provision_users.ldif +++ b/source4/setup/provision_users.ldif @@ -8,7 +8,7 @@ adminCount: 1 accountExpires: 9223372036854775807 sAMAccountName: Administrator isCriticalSystemObject: TRUE -sambaPassword:: ${ADMINPASS_B64} +userPassword:: ${ADMINPASS_B64} dn: CN=Guest,CN=Users,${DOMAINDN} objectClass: user @@ -46,7 +46,7 @@ accountExpires: 9223372036854775807 sAMAccountName: krbtgt servicePrincipalName: kadmin/changepw isCriticalSystemObject: TRUE -sambaPassword:: ${KRBTGTPASS_B64} +userPassword:: ${KRBTGTPASS_B64} dn: CN=Domain Computers,CN=Users,${DOMAINDN} objectClass: top diff --git a/source4/setup/schema-map-fedora-ds-1.0 b/source4/setup/schema-map-fedora-ds-1.0 index 86f8c0b726..e55ef0a9e7 100644 --- a/source4/setup/schema-map-fedora-ds-1.0 +++ b/source4/setup/schema-map-fedora-ds-1.0 @@ -12,8 +12,6 @@ description cn dITContentRules top -#This shouldn't make it to the ldap server -sambaPassword #This should be provided by the LDAP server, only in our schema to permit provision aci #Skip ObjectClasses diff --git a/source4/setup/schema-map-openldap-2.3 b/source4/setup/schema-map-openldap-2.3 index 3f07a9d50f..f5279616d1 100644 --- a/source4/setup/schema-map-openldap-2.3 +++ b/source4/setup/schema-map-openldap-2.3 @@ -13,8 +13,6 @@ cn top #The memberOf plugin provides this attribute memberOf -#This shouldn't make it to the ldap server -sambaPassword #These conflict with OpenLDAP builtins attributeTypes:samba4AttributeTypes 2.5.21.5:1.3.6.1.4.1.7165.4.255.7 diff --git a/source4/setup/schema_samba4.ldif b/source4/setup/schema_samba4.ldif index 8128c43ac4..21d17c5caa 100644 --- a/source4/setup/schema_samba4.ldif +++ b/source4/setup/schema_samba4.ldif @@ -83,18 +83,21 @@ #attributeSyntax: 2.5.5.10 #oMSyntax: 4 -dn: CN=sambaPassword,${SCHEMADN} -objectClass: top -objectClass: attributeSchema -lDAPDisplayName: sambaPassword -isSingleValued: FALSE -systemFlags: 17 -systemOnly: TRUE -schemaIDGUID: 87F10301-229A-4E69-B63A-998339ADA37A -adminDisplayName: SAMBA-Password -attributeID: 1.3.6.1.4.1.7165.4.1.5 -attributeSyntax: 2.5.5.5 -oMSyntax: 22 +# +# Not used anymore +# +#dn: CN=sambaPassword,${SCHEMADN} +#objectClass: top +#objectClass: attributeSchema +#lDAPDisplayName: sambaPassword +#isSingleValued: FALSE +#systemFlags: 17 +#systemOnly: TRUE +#schemaIDGUID: 87F10301-229A-4E69-B63A-998339ADA37A +#adminDisplayName: SAMBA-Password +#attributeID: 1.3.6.1.4.1.7165.4.1.5 +#attributeSyntax: 2.5.5.5 +#oMSyntax: 22 # # Not used anymore -- cgit