git.samba.org / samba.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
password_hash: fix the callers after drsblobs.idl changes
[samba.git] / source4 / dsdb / samdb / ldb_modules / password_hash.c
1 /* 
2    ldb database module
3
4    Copyright (C) Simo Sorce  2004-2006
5    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
6    Copyright (C) Andrew Tridgell 2004
7    Copyright (C) Stefan Metzmacher 2007
8
9    This program is free software; you can redistribute it and/or modify
10    it under the terms of the GNU General Public License as published by
11    the Free Software Foundation; either version 3 of the License, or
12    (at your option) any later version.
13    
14    This program is distributed in the hope that it will be useful,
15    but WITHOUT ANY WARRANTY; without even the implied warranty of
16    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17    GNU General Public License for more details.
18    
19    You should have received a copy of the GNU General Public License
20    along with this program.  If not, see <http://www.gnu.org/licenses/>.
21 */
22
23 /*
24  *  Name: ldb
25  *
26  *  Component: ldb password_hash module
27  *
28  *  Description: correctly update hash values based on changes to userPassword and friends
29  *
30  *  Author: Andrew Bartlett
31  *  Author: Stefan Metzmacher
32  */
33
34 #include "includes.h"
35 #include "libcli/ldap/ldap_ndr.h"
36 #include "ldb/include/ldb_errors.h"
37 #include "ldb/include/ldb.h"
38 #include "ldb/include/ldb_private.h"
39 #include "librpc/gen_ndr/misc.h"
40 #include "librpc/gen_ndr/samr.h"
41 #include "libcli/auth/libcli_auth.h"
42 #include "libcli/security/security.h"
43 #include "system/kerberos.h"
44 #include "auth/kerberos/kerberos.h"
45 #include "system/time.h"
46 #include "dsdb/samdb/samdb.h"
47 #include "dsdb/common/flags.h"
48 #include "dsdb/samdb/ldb_modules/password_modules.h"
49 #include "librpc/ndr/libndr.h"
50 #include "librpc/gen_ndr/ndr_drsblobs.h"
51 #include "lib/crypto/crypto.h"
52 #include "param/param.h"
53
54 /* If we have decided there is reason to work on this request, then
55  * setup all the password hash types correctly.
56  *
57  * If the administrator doesn't want the userPassword stored (set in the
58  * domain and per-account policies) then we must strip that out before
59  * we do the first operation.
60  *
61  * Once this is done (which could update anything at all), we
62  * calculate the password hashes.
63  *
64  * This function must not only update the unicodePwd, dBCSPwd and
65  * supplementalCredentials fields, it must also atomicly increment the
66  * msDS-KeyVersionNumber.  We should be in a transaction, so all this
67  * should be quite safe...
68  *
69  * Finally, if the administrator has requested that a password history
70  * be maintained, then this should also be written out.
71  *
72  */
73
74 struct ph_context {
75
76         enum ph_type {PH_ADD, PH_MOD} type;
77         enum ph_step {PH_ADD_SEARCH_DOM, PH_ADD_DO_ADD, PH_MOD_DO_REQ, PH_MOD_SEARCH_SELF, PH_MOD_SEARCH_DOM, PH_MOD_DO_MOD} step;
78
79         struct ldb_module *module;
80         struct ldb_request *orig_req;
81
82         struct ldb_request *dom_req;
83         struct ldb_reply *dom_res;
84
85         struct ldb_request *down_req;
86
87         struct ldb_request *search_req;
88         struct ldb_reply *search_res;
89
90         struct ldb_request *mod_req;
91
92         struct dom_sid *domain_sid;
93 };
94
95 struct domain_data {
96         bool store_cleartext;
97         uint_t pwdProperties;
98         uint_t pwdHistoryLength;
99         char *netbios_domain;
100         char *dns_domain;
101         char *realm;
102 };
103
104 struct setup_password_fields_io {
105         struct ph_context *ac;
106         struct domain_data *domain;
107         struct smb_krb5_context *smb_krb5_context;
108
109         /* infos about the user account */
110         struct {
111                 uint32_t user_account_control;
112                 const char *sAMAccountName;
113                 const char *user_principal_name;
114                 bool is_computer;
115         } u;
116
117         /* new credentials */
118         struct {
119                 const char *cleartext;
120                 struct samr_Password *nt_hash;
121                 struct samr_Password *lm_hash;
122         } n;
123
124         /* old credentials */
125         struct {
126                 uint32_t nt_history_len;
127                 struct samr_Password *nt_history;
128                 uint32_t lm_history_len;
129                 struct samr_Password *lm_history;
130                 const struct ldb_val *supplemental;
131                 struct supplementalCredentialsBlob scb;
132                 uint32_t kvno;
133         } o;
134
135         /* generated credentials */
136         struct {
137                 struct samr_Password *nt_hash;
138                 struct samr_Password *lm_hash;
139                 uint32_t nt_history_len;
140                 struct samr_Password *nt_history;
141                 uint32_t lm_history_len;
142                 struct samr_Password *lm_history;
143                 const char *salt;
144                 DATA_BLOB aes_256;
145                 DATA_BLOB aes_128;
146                 DATA_BLOB des_md5;
147                 DATA_BLOB des_crc;
148                 struct ldb_val supplemental;
149                 NTTIME last_set;
150                 uint32_t kvno;
151         } g;
152 };
153
154 static int setup_nt_fields(struct setup_password_fields_io *io)
155 {
156         uint32_t i;
157
158         io->g.nt_hash = io->n.nt_hash;
159
160         if (io->domain->pwdHistoryLength == 0) {
161                 return LDB_SUCCESS;
162         }
163
164         /* We might not have an old NT password */
165         io->g.nt_history = talloc_array(io->ac,
166                                         struct samr_Password,
167                                         io->domain->pwdHistoryLength);
168         if (!io->g.nt_history) {
169                 ldb_oom(io->ac->module->ldb);
170                 return LDB_ERR_OPERATIONS_ERROR;
171         }
172
173         for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) {
174                 io->g.nt_history[i+1] = io->o.nt_history[i];
175         }
176         io->g.nt_history_len = i + 1;
177
178         if (io->g.nt_hash) {
179                 io->g.nt_history[0] = *io->g.nt_hash;
180         } else {
181                 /* 
182                  * TODO: is this correct?
183                  * the simular behavior is correct for the lm history case
184                  */
185                 E_md4hash("", io->g.nt_history[0].hash);
186         }
187
188         return LDB_SUCCESS;
189 }
190
191 static int setup_lm_fields(struct setup_password_fields_io *io)
192 {
193         uint32_t i;
194
195         io->g.lm_hash = io->n.lm_hash;
196
197         if (io->domain->pwdHistoryLength == 0) {
198                 return LDB_SUCCESS;
199         }
200
201         /* We might not have an old NT password */
202         io->g.lm_history = talloc_array(io->ac,
203                                         struct samr_Password,
204                                         io->domain->pwdHistoryLength);
205         if (!io->g.lm_history) {
206                 ldb_oom(io->ac->module->ldb);
207                 return LDB_ERR_OPERATIONS_ERROR;
208         }
209
210         for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) {
211                 io->g.lm_history[i+1] = io->o.lm_history[i];
212         }
213         io->g.lm_history_len = i + 1;
214
215         if (io->g.lm_hash) {
216                 io->g.lm_history[0] = *io->g.lm_hash;
217         } else {
218                 E_deshash("", io->g.lm_history[0].hash);
219         }
220
221         return LDB_SUCCESS;
222 }
223
224 static int setup_kerberos_keys(struct setup_password_fields_io *io)
225 {
226         krb5_error_code krb5_ret;
227         Principal *salt_principal;
228         krb5_salt salt;
229         krb5_keyblock key;
230
231         /* Many, many thanks to lukeh@padl.com for this
232          * algorithm, described in his Nov 10 2004 mail to
233          * samba-technical@samba.org */
234
235         /*
236          * Determine a salting principal
237          */
238         if (io->u.is_computer) {
239                 char *name;
240                 char *saltbody;
241
242                 name = talloc_strdup(io->ac, io->u.sAMAccountName);
243                 if (!name) {
244                         ldb_oom(io->ac->module->ldb);
245                         return LDB_ERR_OPERATIONS_ERROR;
246                 }
247
248                 if (name[strlen(name)-1] == '$') {
249                         name[strlen(name)-1] = '\0';
250                 }
251
252                 saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain);
253                 if (!saltbody) {
254                         ldb_oom(io->ac->module->ldb);
255                         return LDB_ERR_OPERATIONS_ERROR;
256                 }
257                 
258                 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
259                                                &salt_principal,
260                                                io->domain->realm, "host",
261                                                saltbody, NULL);
262         } else if (io->u.user_principal_name) {
263                 char *user_principal_name;
264                 char *p;
265
266                 user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
267                 if (!user_principal_name) {
268                         ldb_oom(io->ac->module->ldb);
269                         return LDB_ERR_OPERATIONS_ERROR;
270                 }
271
272                 p = strchr(user_principal_name, '@');
273                 if (p) {
274                         p[0] = '\0';
275                 }
276
277                 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
278                                                &salt_principal,
279                                                io->domain->realm, user_principal_name,
280                                                NULL);
281         } else {
282                 krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
283                                                &salt_principal,
284                                                io->domain->realm, io->u.sAMAccountName,
285                                                NULL);
286         }
287         if (krb5_ret) {
288                 ldb_asprintf_errstring(io->ac->module->ldb,
289                                        "setup_kerberos_keys: "
290                                        "generation of a salting principal failed: %s",
291                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
292                 return LDB_ERR_OPERATIONS_ERROR;
293         }
294
295         /*
296          * create salt from salt_principal
297          */
298         krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
299                                     salt_principal, &salt);
300         krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
301         if (krb5_ret) {
302                 ldb_asprintf_errstring(io->ac->module->ldb,
303                                        "setup_kerberos_keys: "
304                                        "generation of krb5_salt failed: %s",
305                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
306                 return LDB_ERR_OPERATIONS_ERROR;
307         }
308         /* create a talloc copy */
309         io->g.salt = talloc_strndup(io->ac,
310                                     salt.saltvalue.data,
311                                     salt.saltvalue.length);
312         krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
313         if (!io->g.salt) {
314                 ldb_oom(io->ac->module->ldb);
315                 return LDB_ERR_OPERATIONS_ERROR;
316         }
317         salt.saltvalue.data     = discard_const(io->g.salt);
318         salt.saltvalue.length   = strlen(io->g.salt);
319
320         /*
321          * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
322          * the salt and the cleartext password
323          */
324         krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
325                                            ENCTYPE_AES256_CTS_HMAC_SHA1_96,
326                                            io->n.cleartext,
327                                            salt,
328                                            &key);
329         if (krb5_ret) {
330                 ldb_asprintf_errstring(io->ac->module->ldb,
331                                        "setup_kerberos_keys: "
332                                        "generation of a aes256-cts-hmac-sha1-96 key failed: %s",
333                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
334                 return LDB_ERR_OPERATIONS_ERROR;
335         }
336         io->g.aes_256 = data_blob_talloc(io->ac,
337                                          key.keyvalue.data,
338                                          key.keyvalue.length);
339         krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
340         if (!io->g.aes_256.data) {
341                 ldb_oom(io->ac->module->ldb);
342                 return LDB_ERR_OPERATIONS_ERROR;
343         }
344
345         /*
346          * create ENCTYPE_AES128_CTS_HMAC_SHA1_96 key out of
347          * the salt and the cleartext password
348          */
349         krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
350                                            ENCTYPE_AES128_CTS_HMAC_SHA1_96,
351                                            io->n.cleartext,
352                                            salt,
353                                            &key);
354         if (krb5_ret) {
355                 ldb_asprintf_errstring(io->ac->module->ldb,
356                                        "setup_kerberos_keys: "
357                                        "generation of a aes128-cts-hmac-sha1-96 key failed: %s",
358                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
359                 return LDB_ERR_OPERATIONS_ERROR;
360         }
361         io->g.aes_128 = data_blob_talloc(io->ac,
362                                          key.keyvalue.data,
363                                          key.keyvalue.length);
364         krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
365         if (!io->g.aes_128.data) {
366                 ldb_oom(io->ac->module->ldb);
367                 return LDB_ERR_OPERATIONS_ERROR;
368         }
369
370         /*
371          * create ENCTYPE_DES_CBC_MD5 key out of
372          * the salt and the cleartext password
373          */
374         krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
375                                            ENCTYPE_DES_CBC_MD5,
376                                            io->n.cleartext,
377                                            salt,
378                                            &key);
379         if (krb5_ret) {
380                 ldb_asprintf_errstring(io->ac->module->ldb,
381                                        "setup_kerberos_keys: "
382                                        "generation of a des-cbc-md5 key failed: %s",
383                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
384                 return LDB_ERR_OPERATIONS_ERROR;
385         }
386         io->g.des_md5 = data_blob_talloc(io->ac,
387                                          key.keyvalue.data,
388                                          key.keyvalue.length);
389         krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
390         if (!io->g.des_md5.data) {
391                 ldb_oom(io->ac->module->ldb);
392                 return LDB_ERR_OPERATIONS_ERROR;
393         }
394
395         /*
396          * create ENCTYPE_DES_CBC_CRC key out of
397          * the salt and the cleartext password
398          */
399         krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
400                                            ENCTYPE_DES_CBC_CRC,
401                                            io->n.cleartext,
402                                            salt,
403                                            &key);
404         if (krb5_ret) {
405                 ldb_asprintf_errstring(io->ac->module->ldb,
406                                        "setup_kerberos_keys: "
407                                        "generation of a des-cbc-crc key failed: %s",
408                                        smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
409                 return LDB_ERR_OPERATIONS_ERROR;
410         }
411         io->g.des_crc = data_blob_talloc(io->ac,
412                                          key.keyvalue.data,
413                                          key.keyvalue.length);
414         krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
415         if (!io->g.des_crc.data) {
416                 ldb_oom(io->ac->module->ldb);
417                 return LDB_ERR_OPERATIONS_ERROR;
418         }
419
420         return LDB_SUCCESS;
421 }
422
423 static int setup_primary_kerberos(struct setup_password_fields_io *io,
424                                   const struct supplementalCredentialsBlob *old_scb,
425                                   struct package_PrimaryKerberosBlob *pkb)
426 {
427         struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
428         struct supplementalCredentialsPackage *old_scp = NULL;
429         struct package_PrimaryKerberosBlob _old_pkb;
430         struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
431         uint32_t i;
432         enum ndr_err_code ndr_err;
433
434         /*
435          * prepare generation of keys
436          *
437          * ENCTYPE_DES_CBC_MD5
438          * ENCTYPE_DES_CBC_CRC
439          */
440         pkb->version            = 3;
441         pkb3->salt.string       = io->g.salt;
442         pkb3->num_keys          = 2;
443         pkb3->keys              = talloc_array(io->ac,
444                                                struct package_PrimaryKerberosKey3,
445                                                pkb3->num_keys);
446         if (!pkb3->keys) {
447                 ldb_oom(io->ac->module->ldb);
448                 return LDB_ERR_OPERATIONS_ERROR;
449         }
450
451         pkb3->keys[0].keytype   = ENCTYPE_DES_CBC_MD5;
452         pkb3->keys[0].value     = &io->g.des_md5;
453         pkb3->keys[1].keytype   = ENCTYPE_DES_CBC_CRC;
454         pkb3->keys[1].value     = &io->g.des_crc;
455
456         /* initialize the old keys to zero */
457         pkb3->num_old_keys      = 0;
458         pkb3->old_keys          = NULL;
459
460         /* if there're no old keys, then we're done */
461         if (!old_scb) {
462                 return LDB_SUCCESS;
463         }
464
465         for (i=0; i < old_scb->sub.num_packages; i++) {
466                 if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
467                         continue;
468                 }
469
470                 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
471                         continue;
472                 }
473
474                 old_scp = &old_scb->sub.packages[i];
475                 break;
476         }
477         /* Primary:Kerberos element of supplementalCredentials */
478         if (old_scp) {
479                 DATA_BLOB blob;
480
481                 blob = strhex_to_data_blob(old_scp->data);
482                 if (!blob.data) {
483                         ldb_oom(io->ac->module->ldb);
484                         return LDB_ERR_OPERATIONS_ERROR;
485                 }
486                 talloc_steal(io->ac, blob.data);
487
488                 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
489                 ndr_err = ndr_pull_struct_blob(&blob, io->ac, lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")), &_old_pkb,
490                                                (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
491                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
492                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
493                         ldb_asprintf_errstring(io->ac->module->ldb,
494                                                "setup_primary_kerberos: "
495                                                "failed to pull old package_PrimaryKerberosBlob: %s",
496                                                nt_errstr(status));
497                         return LDB_ERR_OPERATIONS_ERROR;
498                 }
499
500                 if (_old_pkb.version != 3) {
501                         ldb_asprintf_errstring(io->ac->module->ldb,
502                                                "setup_primary_kerberos: "
503                                                "package_PrimaryKerberosBlob version[%u] expected[3]",
504                                                _old_pkb.version);
505                         return LDB_ERR_OPERATIONS_ERROR;
506                 }
507
508                 old_pkb3 = &_old_pkb.ctr.ctr3;
509         }
510
511         /* if we didn't found the old keys we're done */
512         if (!old_pkb3) {
513                 return LDB_SUCCESS;
514         }
515
516         /* fill in the old keys */
517         pkb3->num_old_keys      = old_pkb3->num_keys;
518         pkb3->old_keys          = old_pkb3->keys;
519
520         return LDB_SUCCESS;
521 }
522
523 static int setup_primary_kerberos_newer(struct setup_password_fields_io *io,
524                                         const struct supplementalCredentialsBlob *old_scb,
525                                         struct package_PrimaryKerberosBlob *pkb)
526 {
527         struct package_PrimaryKerberosCtr4 *pkb4 = &pkb->ctr.ctr4;
528         struct supplementalCredentialsPackage *old_scp = NULL;
529         struct package_PrimaryKerberosBlob _old_pkb;
530         struct package_PrimaryKerberosCtr4 *old_pkb4 = NULL;
531         uint32_t i;
532         enum ndr_err_code ndr_err;
533
534         /*
535          * prepare generation of keys
536          *
537          * ENCTYPE_AES256_CTS_HMAC_SHA1_96
538          * ENCTYPE_AES128_CTS_HMAC_SHA1_96
539          * ENCTYPE_DES_CBC_MD5
540          * ENCTYPE_DES_CBC_CRC
541          */
542         pkb->version                    = 4;
543         pkb4->salt.string               = io->g.salt;
544         pkb4->default_iteration_count   = 4096;
545         pkb4->num_keys                  = 4;
546
547         pkb4->keys = talloc_array(io->ac,
548                                   struct package_PrimaryKerberosKey4,
549                                   pkb4->num_keys);
550         if (!pkb4->keys) {
551                 ldb_oom(io->ac->module->ldb);
552                 return LDB_ERR_OPERATIONS_ERROR;
553         }
554
555         pkb4->keys[0].iteration_count   = 4096;
556         pkb4->keys[0].keytype           = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
557         pkb4->keys[0].value             = &io->g.aes_256;
558         pkb4->keys[1].iteration_count   = 4096;
559         pkb4->keys[1].keytype           = ENCTYPE_AES128_CTS_HMAC_SHA1_96;
560         pkb4->keys[1].value             = &io->g.aes_128;
561         pkb4->keys[2].iteration_count   = 4096;
562         pkb4->keys[2].keytype           = ENCTYPE_DES_CBC_MD5;
563         pkb4->keys[2].value             = &io->g.des_md5;
564         pkb4->keys[3].iteration_count   = 4096;
565         pkb4->keys[3].keytype           = ENCTYPE_DES_CBC_CRC;
566         pkb4->keys[3].value             = &io->g.des_crc;
567
568         /* initialize the old keys to zero */
569         pkb4->num_old_keys      = 0;
570         pkb4->old_keys          = NULL;
571         pkb4->num_older_keys    = 0;
572         pkb4->older_keys        = NULL;
573
574         /* if there're no old keys, then we're done */
575         if (!old_scb) {
576                 return LDB_SUCCESS;
577         }
578
579         for (i=0; i < old_scb->sub.num_packages; i++) {
580                 if (strcmp("Primary:Kerberos-Newer-Keys", old_scb->sub.packages[i].name) != 0) {
581                         continue;
582                 }
583
584                 if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
585                         continue;
586                 }
587
588                 old_scp = &old_scb->sub.packages[i];
589                 break;
590         }
591         /* Primary:Kerberos-Newer-Keys element of supplementalCredentials */
592         if (old_scp) {
593                 DATA_BLOB blob;
594
595                 blob = strhex_to_data_blob(old_scp->data);
596                 if (!blob.data) {
597                         ldb_oom(io->ac->module->ldb);
598                         return LDB_ERR_OPERATIONS_ERROR;
599                 }
600                 talloc_steal(io->ac, blob.data);
601
602                 /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
603                 ndr_err = ndr_pull_struct_blob(&blob, io->ac,
604                                                lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
605                                                &_old_pkb,
606                                                (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
607                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
608                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
609                         ldb_asprintf_errstring(io->ac->module->ldb,
610                                                "setup_primary_kerberos_newer: "
611                                                "failed to pull old package_PrimaryKerberosBlob: %s",
612                                                nt_errstr(status));
613                         return LDB_ERR_OPERATIONS_ERROR;
614                 }
615
616                 if (_old_pkb.version != 4) {
617                         ldb_asprintf_errstring(io->ac->module->ldb,
618                                                "setup_primary_kerberos_newer: "
619                                                "package_PrimaryKerberosBlob version[%u] expected[4]",
620                                                _old_pkb.version);
621                         return LDB_ERR_OPERATIONS_ERROR;
622                 }
623
624                 old_pkb4 = &_old_pkb.ctr.ctr4;
625         }
626
627         /* if we didn't found the old keys we're done */
628         if (!old_pkb4) {
629                 return LDB_SUCCESS;
630         }
631
632         /* fill in the old keys */
633         pkb4->num_old_keys      = old_pkb4->num_keys;
634         pkb4->old_keys          = old_pkb4->keys;
635         pkb4->num_older_keys    = old_pkb4->num_old_keys;
636         pkb4->older_keys        = old_pkb4->old_keys;
637
638         return LDB_SUCCESS;
639 }
640
641 static int setup_primary_wdigest(struct setup_password_fields_io *io,
642                                  const struct supplementalCredentialsBlob *old_scb,
643                                  struct package_PrimaryWDigestBlob *pdb)
644 {
645         DATA_BLOB sAMAccountName;
646         DATA_BLOB sAMAccountName_l;
647         DATA_BLOB sAMAccountName_u;
648         const char *user_principal_name = io->u.user_principal_name;
649         DATA_BLOB userPrincipalName;
650         DATA_BLOB userPrincipalName_l;
651         DATA_BLOB userPrincipalName_u;
652         DATA_BLOB netbios_domain;
653         DATA_BLOB netbios_domain_l;
654         DATA_BLOB netbios_domain_u;
655         DATA_BLOB dns_domain;
656         DATA_BLOB dns_domain_l;
657         DATA_BLOB dns_domain_u;
658         DATA_BLOB cleartext;
659         DATA_BLOB digest;
660         DATA_BLOB delim;
661         DATA_BLOB backslash;
662         uint8_t i;
663         struct {
664                 DATA_BLOB *user;
665                 DATA_BLOB *realm;
666                 DATA_BLOB *nt4dom;
667         } wdigest[] = {
668         /*
669          * See
670          * http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
671          * for what precalculated hashes are supposed to be stored...
672          *
673          * I can't reproduce all values which should contain "Digest" as realm,
674          * am I doing something wrong or is w2k3 just broken...?
675          *
676          * W2K3 fills in following for a user:
677          *
678          * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
679          * sAMAccountName: NewUser2Sam
680          * userPrincipalName: NewUser2Princ@sub1.w2k3.vmnet1.vm.base
681          *
682          * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
683          * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
684          * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
685          * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
686          * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
687          * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
688          * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
689          * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
690          * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
691          * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
692          * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
693          * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
694          * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
695          * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
696          * 221c55284451ae9b3aacaa2a3c86f10f => NewUser2Princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
697          * 74e1be668853d4324d38c07e2acfb8ea => (w2k3 has a bug here!) newuser2princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
698          * e1e244ab7f098e3ae1761be7f9229bbb => NEWUSER2PRINC@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
699          * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
700          * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
701          * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
702          * 31dc704d3640335b2123d4ee28aa1f11 => ??? changes with NewUser2Sam => NewUser1Sam
703          * 36349f5cecd07320fb3bb0e119230c43 => ??? changes with NewUser2Sam => NewUser1Sam
704          * 12adf019d037fb535c01fd0608e78d9d => ??? changes with NewUser2Sam => NewUser1Sam
705          * 6feecf8e724906f3ee1105819c5105a1 => ??? changes with NewUser2Princ => NewUser1Princ
706          * 6c6911f3de6333422640221b9c51ff1f => ??? changes with NewUser2Princ => NewUser1Princ
707          * 4b279877e742895f9348ac67a8de2f69 => ??? changes with NewUser2Princ => NewUser1Princ
708          * db0c6bff069513e3ebb9870d29b57490 => ??? changes with NewUser2Sam => NewUser1Sam
709          * 45072621e56b1c113a4e04a8ff68cd0e => ??? changes with NewUser2Sam => NewUser1Sam
710          * 11d1220abc44a9c10cf91ef4a9c1de02 => ??? changes with NewUser2Sam => NewUser1Sam
711          *
712          * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
713          * sAMAccountName: NewUser2Sam
714          *
715          * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
716          * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
717          * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
718          * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
719          * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
720          * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
721          * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
722          * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
723          * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
724          * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
725          * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
726          * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
727          * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
728          * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
729          * 8a140d30b6f0a5912735dc1e3bc993b4 => NewUser2Sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
730          * 86d95b2faae6cae4ec261e7fbaccf093 => (here w2k3 is correct) newuser2sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
731          * dfeff1493110220efcdfc6362e5f5450 => NEWUSER2SAM@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
732          * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
733          * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
734          * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
735          * 31dc704d3640335b2123d4ee28aa1f11 => ???M1   changes with NewUser2Sam => NewUser1Sam
736          * 36349f5cecd07320fb3bb0e119230c43 => ???M1.L changes with newuser2sam => newuser1sam
737          * 12adf019d037fb535c01fd0608e78d9d => ???M1.U changes with NEWUSER2SAM => NEWUSER1SAM
738          * 569b4533f2d9e580211dd040e5e360a8 => ???M2   changes with NewUser2Princ => NewUser1Princ
739          * 52528bddf310a587c5d7e6a9ae2cbb20 => ???M2.L changes with newuser2princ => newuser1princ
740          * 4f629a4f0361289ca4255ab0f658fcd5 => ???M3 changes with NewUser2Princ => NewUser1Princ (doesn't depend on case of userPrincipal )
741          * db0c6bff069513e3ebb9870d29b57490 => ???M4 changes with NewUser2Sam => NewUser1Sam
742          * 45072621e56b1c113a4e04a8ff68cd0e => ???M5 changes with NewUser2Sam => NewUser1Sam (doesn't depend on case of sAMAccountName)
743          * 11d1220abc44a9c10cf91ef4a9c1de02 => ???M4.U changes with NEWUSER2SAM => NEWUSER1SAM
744          */
745
746         /*
747          * sAMAccountName, netbios_domain
748          */
749                 {
750                 .user   = &sAMAccountName,
751                 .realm  = &netbios_domain,
752                 },
753                 {
754                 .user   = &sAMAccountName_l,
755                 .realm  = &netbios_domain_l,
756                 },
757                 {
758                 .user   = &sAMAccountName_u,
759                 .realm  = &netbios_domain_u,
760                 },
761                 {
762                 .user   = &sAMAccountName,
763                 .realm  = &netbios_domain_u,
764                 },
765                 {
766                 .user   = &sAMAccountName,
767                 .realm  = &netbios_domain_l,
768                 },
769                 {
770                 .user   = &sAMAccountName_u,
771                 .realm  = &netbios_domain_l,
772                 },
773                 {
774                 .user   = &sAMAccountName_l,
775                 .realm  = &netbios_domain_u,
776                 },
777         /* 
778          * sAMAccountName, dns_domain
779          */
780                 {
781                 .user   = &sAMAccountName,
782                 .realm  = &dns_domain,
783                 },
784                 {
785                 .user   = &sAMAccountName_l,
786                 .realm  = &dns_domain_l,
787                 },
788                 {
789                 .user   = &sAMAccountName_u,
790                 .realm  = &dns_domain_u,
791                 },
792                 {
793                 .user   = &sAMAccountName,
794                 .realm  = &dns_domain_u,
795                 },
796                 {
797                 .user   = &sAMAccountName,
798                 .realm  = &dns_domain_l,
799                 },
800                 {
801                 .user   = &sAMAccountName_u,
802                 .realm  = &dns_domain_l,
803                 },
804                 {
805                 .user   = &sAMAccountName_l,
806                 .realm  = &dns_domain_u,
807                 },
808         /* 
809          * userPrincipalName, no realm
810          */
811                 {
812                 .user   = &userPrincipalName,
813                 },
814                 {
815                 /* 
816                  * NOTE: w2k3 messes this up, if the user has a real userPrincipalName,
817                  *       the fallback to the sAMAccountName based userPrincipalName is correct
818                  */
819                 .user   = &userPrincipalName_l,
820                 },
821                 {
822                 .user   = &userPrincipalName_u,
823                 },
824         /* 
825          * nt4dom\sAMAccountName, no realm
826          */
827                 {
828                 .user   = &sAMAccountName,
829                 .nt4dom = &netbios_domain
830                 },
831                 {
832                 .user   = &sAMAccountName_l,
833                 .nt4dom = &netbios_domain_l
834                 },
835                 {
836                 .user   = &sAMAccountName_u,
837                 .nt4dom = &netbios_domain_u
838                 },
839
840         /*
841          * the following ones are guessed depending on the technet2 article
842          * but not reproducable on a w2k3 server
843          */
844         /* sAMAccountName with "Digest" realm */
845                 {
846                 .user   = &sAMAccountName,
847                 .realm  = &digest
848                 },
849                 {
850                 .user   = &sAMAccountName_l,
851                 .realm  = &digest
852                 },
853                 {
854                 .user   = &sAMAccountName_u,
855                 .realm  = &digest
856                 },
857         /* userPrincipalName with "Digest" realm */
858                 {
859                 .user   = &userPrincipalName,
860                 .realm  = &digest
861                 },
862                 {
863                 .user   = &userPrincipalName_l,
864                 .realm  = &digest
865                 },
866                 {
867                 .user   = &userPrincipalName_u,
868                 .realm  = &digest
869                 },
870         /* nt4dom\\sAMAccountName with "Digest" realm */
871                 {
872                 .user   = &sAMAccountName,
873                 .nt4dom = &netbios_domain,
874                 .realm  = &digest
875                 },
876                 {
877                 .user   = &sAMAccountName_l,
878                 .nt4dom = &netbios_domain_l,
879                 .realm  = &digest
880                 },
881                 {
882                 .user   = &sAMAccountName_u,
883                 .nt4dom = &netbios_domain_u,
884                 .realm  = &digest
885                 },
886         };
887
888         /* prepare DATA_BLOB's used in the combinations array */
889         sAMAccountName          = data_blob_string_const(io->u.sAMAccountName);
890         sAMAccountName_l        = data_blob_string_const(strlower_talloc(io->ac, io->u.sAMAccountName));
891         if (!sAMAccountName_l.data) {
892                 ldb_oom(io->ac->module->ldb);
893                 return LDB_ERR_OPERATIONS_ERROR;
894         }
895         sAMAccountName_u        = data_blob_string_const(strupper_talloc(io->ac, io->u.sAMAccountName));
896         if (!sAMAccountName_u.data) {
897                 ldb_oom(io->ac->module->ldb);
898                 return LDB_ERR_OPERATIONS_ERROR;
899         }
900
901         /* if the user doesn't have a userPrincipalName, create one (with lower case realm) */
902         if (!user_principal_name) {
903                 user_principal_name = talloc_asprintf(io->ac, "%s@%s",
904                                                       io->u.sAMAccountName,
905                                                       io->domain->dns_domain);
906                 if (!user_principal_name) {
907                         ldb_oom(io->ac->module->ldb);
908                         return LDB_ERR_OPERATIONS_ERROR;
909                 }       
910         }
911         userPrincipalName       = data_blob_string_const(user_principal_name);
912         userPrincipalName_l     = data_blob_string_const(strlower_talloc(io->ac, user_principal_name));
913         if (!userPrincipalName_l.data) {
914                 ldb_oom(io->ac->module->ldb);
915                 return LDB_ERR_OPERATIONS_ERROR;
916         }
917         userPrincipalName_u     = data_blob_string_const(strupper_talloc(io->ac, user_principal_name));
918         if (!userPrincipalName_u.data) {
919                 ldb_oom(io->ac->module->ldb);
920                 return LDB_ERR_OPERATIONS_ERROR;
921         }
922
923         netbios_domain          = data_blob_string_const(io->domain->netbios_domain);
924         netbios_domain_l        = data_blob_string_const(strlower_talloc(io->ac, io->domain->netbios_domain));
925         if (!netbios_domain_l.data) {
926                 ldb_oom(io->ac->module->ldb);
927                 return LDB_ERR_OPERATIONS_ERROR;
928         }
929         netbios_domain_u        = data_blob_string_const(strupper_talloc(io->ac, io->domain->netbios_domain));
930         if (!netbios_domain_u.data) {
931                 ldb_oom(io->ac->module->ldb);
932                 return LDB_ERR_OPERATIONS_ERROR;
933         }
934
935         dns_domain              = data_blob_string_const(io->domain->dns_domain);
936         dns_domain_l            = data_blob_string_const(io->domain->dns_domain);
937         dns_domain_u            = data_blob_string_const(io->domain->realm);
938
939         cleartext               = data_blob_string_const(io->n.cleartext);
940
941         digest                  = data_blob_string_const("Digest");
942
943         delim                   = data_blob_string_const(":");
944         backslash               = data_blob_string_const("\\");
945
946         pdb->num_hashes = ARRAY_SIZE(wdigest);
947         pdb->hashes     = talloc_array(io->ac, struct package_PrimaryWDigestHash, pdb->num_hashes);
948         if (!pdb->hashes) {
949                 ldb_oom(io->ac->module->ldb);
950                 return LDB_ERR_OPERATIONS_ERROR;
951         }
952
953         for (i=0; i < ARRAY_SIZE(wdigest); i++) {
954                 struct MD5Context md5;
955                 MD5Init(&md5);
956                 if (wdigest[i].nt4dom) {
957                         MD5Update(&md5, wdigest[i].nt4dom->data, wdigest[i].nt4dom->length);
958                         MD5Update(&md5, backslash.data, backslash.length);
959                 }
960                 MD5Update(&md5, wdigest[i].user->data, wdigest[i].user->length);
961                 MD5Update(&md5, delim.data, delim.length);
962                 if (wdigest[i].realm) {
963                         MD5Update(&md5, wdigest[i].realm->data, wdigest[i].realm->length);
964                 }
965                 MD5Update(&md5, delim.data, delim.length);
966                 MD5Update(&md5, cleartext.data, cleartext.length);
967                 MD5Final(pdb->hashes[i].hash, &md5);
968         }
969
970         return LDB_SUCCESS;
971 }
972
973 static int setup_supplemental_field(struct setup_password_fields_io *io)
974 {
975         struct supplementalCredentialsBlob scb;
976         struct supplementalCredentialsBlob _old_scb;
977         struct supplementalCredentialsBlob *old_scb = NULL;
978         /* Packages + (Kerberos-Newer-Keys, Kerberos, WDigest and CLEARTEXT) */
979         uint32_t num_names = 0;
980         const char *names[1+4];
981         uint32_t num_packages = 0;
982         struct supplementalCredentialsPackage packages[1+4];
983         /* Packages */
984         struct supplementalCredentialsPackage *pp = NULL;
985         struct package_PackagesBlob pb;
986         DATA_BLOB pb_blob;
987         char *pb_hexstr;
988         /* Primary:Kerberos-Newer-Keys */
989         const char **nkn = NULL;
990         struct supplementalCredentialsPackage *pkn = NULL;
991         struct package_PrimaryKerberosBlob pknb;
992         DATA_BLOB pknb_blob;
993         char *pknb_hexstr;
994         /* Primary:Kerberos */
995         const char **nk = NULL;
996         struct supplementalCredentialsPackage *pk = NULL;
997         struct package_PrimaryKerberosBlob pkb;
998         DATA_BLOB pkb_blob;
999         char *pkb_hexstr;
1000         /* Primary:WDigest */
1001         const char **nd = NULL;
1002         struct supplementalCredentialsPackage *pd = NULL;
1003         struct package_PrimaryWDigestBlob pdb;
1004         DATA_BLOB pdb_blob;
1005         char *pdb_hexstr;
1006         /* Primary:CLEARTEXT */
1007         const char **nc = NULL;
1008         struct supplementalCredentialsPackage *pc = NULL;
1009         struct package_PrimaryCLEARTEXTBlob pcb;
1010         DATA_BLOB pcb_blob;
1011         char *pcb_hexstr;
1012         int ret;
1013         enum ndr_err_code ndr_err;
1014         uint8_t zero16[16];
1015         bool do_newer_keys = false;
1016         bool do_cleartext = false;
1017
1018         ZERO_STRUCT(zero16);
1019         ZERO_STRUCT(names);
1020
1021         if (!io->n.cleartext) {
1022                 /* 
1023                  * when we don't have a cleartext password
1024                  * we can't setup a supplementalCredential value
1025                  */
1026                 return LDB_SUCCESS;
1027         }
1028
1029         /* if there's an old supplementaCredentials blob then parse it */
1030         if (io->o.supplemental) {
1031                 ndr_err = ndr_pull_struct_blob_all(io->o.supplemental, io->ac,
1032                                                    lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1033                                                    &_old_scb,
1034                                                    (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
1035                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1036                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1037                         ldb_asprintf_errstring(io->ac->module->ldb,
1038                                                "setup_supplemental_field: "
1039                                                "failed to pull old supplementalCredentialsBlob: %s",
1040                                                nt_errstr(status));
1041                         return LDB_ERR_OPERATIONS_ERROR;
1042                 }
1043
1044                 if (_old_scb.sub.signature == SUPPLEMENTAL_CREDENTIALS_SIGNATURE) {
1045                         old_scb = &_old_scb;
1046                 } else {
1047                         ldb_debug(io->ac->module->ldb, LDB_DEBUG_ERROR,
1048                                                "setup_supplemental_field: "
1049                                                "supplementalCredentialsBlob signature[0x%04X] expected[0x%04X]",
1050                                                _old_scb.sub.signature, SUPPLEMENTAL_CREDENTIALS_SIGNATURE);
1051                 }
1052         }
1053
1054         /* TODO: do the correct check for this, it maybe depends on the functional level? */
1055         do_newer_keys = lp_parm_bool(ldb_get_opaque(io->ac->module->ldb, "loadparm"),
1056                                      NULL, "password_hash", "create_aes_key", false);
1057
1058         if (io->domain->store_cleartext &&
1059             (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
1060                 do_cleartext = true;
1061         }
1062
1063         /*
1064          * The ordering is this
1065          *
1066          * Primary:Kerberos-Newer-Keys (optional)
1067          * Primary:Kerberos
1068          * Primary:WDigest
1069          * Primary:CLEARTEXT (optional)
1070          *
1071          * And the 'Packages' package is insert before the last
1072          * other package.
1073          */
1074         if (do_newer_keys) {
1075                 /* Primary:Kerberos-Newer-Keys */
1076                 nkn = &names[num_names++];
1077                 pkn = &packages[num_packages++];
1078         }
1079
1080         /* Primary:Kerberos */
1081         nk = &names[num_names++];
1082         pk = &packages[num_packages++];
1083
1084         if (!do_cleartext) {
1085                 /* Packages */
1086                 pp = &packages[num_packages++];
1087         }
1088
1089         /* Primary:WDigest */
1090         nd = &names[num_names++];
1091         pd = &packages[num_packages++];
1092
1093         if (do_cleartext) {
1094                 /* Packages */
1095                 pp = &packages[num_packages++];
1096
1097                 /* Primary:CLEARTEXT */
1098                 nc = &names[num_names++];
1099                 pc = &packages[num_packages++];
1100         }
1101
1102         if (pkn) {
1103                 /*
1104                  * setup 'Primary:Kerberos-Newer-Keys' element
1105                  */
1106                 *nkn = "Kerberos-Newer-Keys";
1107
1108                 ret = setup_primary_kerberos_newer(io, old_scb, &pknb);
1109                 if (ret != LDB_SUCCESS) {
1110                         return ret;
1111                 }
1112
1113                 ndr_err = ndr_push_struct_blob(&pknb_blob, io->ac,
1114                                                lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1115                                                &pknb,
1116                                                (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
1117                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1118                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1119                         ldb_asprintf_errstring(io->ac->module->ldb,
1120                                                "setup_supplemental_field: "
1121                                                "failed to push package_PrimaryKerberosNeverBlob: %s",
1122                                                nt_errstr(status));
1123                         return LDB_ERR_OPERATIONS_ERROR;
1124                 }
1125                 pknb_hexstr = data_blob_hex_string(io->ac, &pknb_blob);
1126                 if (!pknb_hexstr) {
1127                         ldb_oom(io->ac->module->ldb);
1128                         return LDB_ERR_OPERATIONS_ERROR;
1129                 }
1130                 pkn->name       = "Primary:Kerberos-Newer-Keys";
1131                 pkn->reserved   = 1;
1132                 pkn->data       = pknb_hexstr;
1133         }
1134
1135         /*
1136          * setup 'Primary:Kerberos' element
1137          */
1138         *nk = "Kerberos";
1139
1140         ret = setup_primary_kerberos(io, old_scb, &pkb);
1141         if (ret != LDB_SUCCESS) {
1142                 return ret;
1143         }
1144
1145         ndr_err = ndr_push_struct_blob(&pkb_blob, io->ac, 
1146                                        lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1147                                        &pkb,
1148                                        (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
1149         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1150                 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1151                 ldb_asprintf_errstring(io->ac->module->ldb,
1152                                        "setup_supplemental_field: "
1153                                        "failed to push package_PrimaryKerberosBlob: %s",
1154                                        nt_errstr(status));
1155                 return LDB_ERR_OPERATIONS_ERROR;
1156         }
1157         pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob);
1158         if (!pkb_hexstr) {
1159                 ldb_oom(io->ac->module->ldb);
1160                 return LDB_ERR_OPERATIONS_ERROR;
1161         }
1162         pk->name        = "Primary:Kerberos";
1163         pk->reserved    = 1;
1164         pk->data        = pkb_hexstr;
1165
1166         /*
1167          * setup 'Primary:WDigest' element
1168          */
1169         *nd = "WDigest";
1170
1171         ret = setup_primary_wdigest(io, old_scb, &pdb);
1172         if (ret != LDB_SUCCESS) {
1173                 return ret;
1174         }
1175
1176         ndr_err = ndr_push_struct_blob(&pdb_blob, io->ac, 
1177                                        lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1178                                        &pdb,
1179                                        (ndr_push_flags_fn_t)ndr_push_package_PrimaryWDigestBlob);
1180         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1181                 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1182                 ldb_asprintf_errstring(io->ac->module->ldb,
1183                                        "setup_supplemental_field: "
1184                                        "failed to push package_PrimaryWDigestBlob: %s",
1185                                        nt_errstr(status));
1186                 return LDB_ERR_OPERATIONS_ERROR;
1187         }
1188         pdb_hexstr = data_blob_hex_string(io->ac, &pdb_blob);
1189         if (!pdb_hexstr) {
1190                 ldb_oom(io->ac->module->ldb);
1191                 return LDB_ERR_OPERATIONS_ERROR;
1192         }
1193         pd->name        = "Primary:WDigest";
1194         pd->reserved    = 1;
1195         pd->data        = pdb_hexstr;
1196
1197         /*
1198          * setup 'Primary:CLEARTEXT' element
1199          */
1200         if (pc) {
1201                 *nc             = "CLEARTEXT";
1202
1203                 pcb.cleartext   = io->n.cleartext;
1204
1205                 ndr_err = ndr_push_struct_blob(&pcb_blob, io->ac, 
1206                                                lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1207                                                &pcb,
1208                                                (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
1209                 if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1210                         NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1211                         ldb_asprintf_errstring(io->ac->module->ldb,
1212                                                "setup_supplemental_field: "
1213                                                "failed to push package_PrimaryCLEARTEXTBlob: %s",
1214                                                nt_errstr(status));
1215                         return LDB_ERR_OPERATIONS_ERROR;
1216                 }
1217                 pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob);
1218                 if (!pcb_hexstr) {
1219                         ldb_oom(io->ac->module->ldb);
1220                         return LDB_ERR_OPERATIONS_ERROR;
1221                 }
1222                 pc->name        = "Primary:CLEARTEXT";
1223                 pc->reserved    = 1;
1224                 pc->data        = pcb_hexstr;
1225         }
1226
1227         /*
1228          * setup 'Packages' element
1229          */
1230         pb.names = names;
1231         ndr_err = ndr_push_struct_blob(&pb_blob, io->ac, 
1232                                        lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")), 
1233                                        &pb,
1234                                        (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
1235         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1236                 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1237                 ldb_asprintf_errstring(io->ac->module->ldb,
1238                                        "setup_supplemental_field: "
1239                                        "failed to push package_PackagesBlob: %s",
1240                                        nt_errstr(status));
1241                 return LDB_ERR_OPERATIONS_ERROR;
1242         }
1243         pb_hexstr = data_blob_hex_string(io->ac, &pb_blob);
1244         if (!pb_hexstr) {
1245                 ldb_oom(io->ac->module->ldb);
1246                 return LDB_ERR_OPERATIONS_ERROR;
1247         }
1248         pp->name        = "Packages";
1249         pp->reserved    = 2;
1250         pp->data        = pb_hexstr;
1251
1252         /*
1253          * setup 'supplementalCredentials' value
1254          */
1255         ZERO_STRUCT(scb);
1256         scb.sub.num_packages    = num_packages;
1257         scb.sub.packages        = packages;
1258
1259         ndr_err = ndr_push_struct_blob(&io->g.supplemental, io->ac, 
1260                                        lp_iconv_convenience(ldb_get_opaque(io->ac->module->ldb, "loadparm")),
1261                                        &scb,
1262                                        (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
1263         if (!NDR_ERR_CODE_IS_SUCCESS(ndr_err)) {
1264                 NTSTATUS status = ndr_map_error2ntstatus(ndr_err);
1265                 ldb_asprintf_errstring(io->ac->module->ldb,
1266                                        "setup_supplemental_field: "
1267                                        "failed to push supplementalCredentialsBlob: %s",
1268                                        nt_errstr(status));
1269                 return LDB_ERR_OPERATIONS_ERROR;
1270         }
1271
1272         return LDB_SUCCESS;
1273 }
1274
1275 static int setup_last_set_field(struct setup_password_fields_io *io)
1276 {
1277         /* set it as now */
1278         unix_to_nt_time(&io->g.last_set, time(NULL));
1279
1280         return LDB_SUCCESS;
1281 }
1282
1283 static int setup_kvno_field(struct setup_password_fields_io *io)
1284 {
1285         /* increment by one */
1286         io->g.kvno = io->o.kvno + 1;
1287
1288         return LDB_SUCCESS;
1289 }
1290
1291 static int setup_password_fields(struct setup_password_fields_io *io)
1292 {
1293         bool ok;
1294         int ret;
1295
1296         /*
1297          * refuse the change if someone want to change the cleartext
1298          * and supply his own hashes at the same time...
1299          */
1300         if (io->n.cleartext && (io->n.nt_hash || io->n.lm_hash)) {
1301                 ldb_asprintf_errstring(io->ac->module->ldb,
1302                                        "setup_password_fields: "
1303                                        "it's only allowed to set the cleartext password or the password hashes");
1304                 return LDB_ERR_UNWILLING_TO_PERFORM;
1305         }
1306
1307         if (io->n.cleartext) {
1308                 struct samr_Password *hash;
1309
1310                 hash = talloc(io->ac, struct samr_Password);
1311                 if (!hash) {
1312                         ldb_oom(io->ac->module->ldb);
1313                         return LDB_ERR_OPERATIONS_ERROR;
1314                 }
1315
1316                 /* compute the new nt hash */
1317                 ok = E_md4hash(io->n.cleartext, hash->hash);
1318                 if (ok) {
1319                         io->n.nt_hash = hash;
1320                 } else {
1321                         ldb_asprintf_errstring(io->ac->module->ldb,
1322                                                "setup_password_fields: "
1323                                                "failed to generate nthash from cleartext password");
1324                         return LDB_ERR_OPERATIONS_ERROR;
1325                 }
1326         }
1327
1328         if (io->n.cleartext) {
1329                 struct samr_Password *hash;
1330
1331                 hash = talloc(io->ac, struct samr_Password);
1332                 if (!hash) {
1333                         ldb_oom(io->ac->module->ldb);
1334                         return LDB_ERR_OPERATIONS_ERROR;
1335                 }
1336
1337                 /* compute the new lm hash */
1338                 ok = E_deshash(io->n.cleartext, hash->hash);
1339                 if (ok) {
1340                         io->n.lm_hash = hash;
1341                 } else {
1342                         talloc_free(hash->hash);
1343                 }
1344         }
1345
1346         if (io->n.cleartext) {
1347                 ret = setup_kerberos_keys(io);
1348                 if (ret != 0) {
1349                         return ret;
1350                 }
1351         }
1352
1353         ret = setup_nt_fields(io);
1354         if (ret != 0) {
1355                 return ret;
1356         }
1357
1358         ret = setup_lm_fields(io);
1359         if (ret != 0) {
1360                 return ret;
1361         }
1362
1363         ret = setup_supplemental_field(io);
1364         if (ret != 0) {
1365                 return ret;
1366         }
1367
1368         ret = setup_last_set_field(io);
1369         if (ret != 0) {
1370                 return ret;
1371         }
1372
1373         ret = setup_kvno_field(io);
1374         if (ret != 0) {
1375                 return ret;
1376         }
1377
1378         return LDB_SUCCESS;
1379 }
1380
1381 static struct ldb_handle *ph_init_handle(struct ldb_request *req, struct ldb_module *module, enum ph_type type)
1382 {
1383         struct ph_context *ac;
1384         struct ldb_handle *h;
1385
1386         h = talloc_zero(req, struct ldb_handle);
1387         if (h == NULL) {
1388                 ldb_set_errstring(module->ldb, "Out of Memory");
1389                 return NULL;
1390         }
1391
1392         h->module = module;
1393
1394         ac = talloc_zero(h, struct ph_context);
1395         if (ac == NULL) {
1396                 ldb_set_errstring(module->ldb, "Out of Memory");
1397                 talloc_free(h);
1398                 return NULL;
1399         }
1400
1401         h->private_data = (void *)ac;
1402
1403         h->state = LDB_ASYNC_INIT;
1404         h->status = LDB_SUCCESS;
1405
1406         ac->type = type;
1407         ac->module = module;
1408         ac->orig_req = req;
1409
1410         return h;
1411 }
1412
1413 static int get_domain_data_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1414 {
1415         struct ph_context *ac;
1416
1417         ac = talloc_get_type(context, struct ph_context);
1418
1419         /* we are interested only in the single reply (base search) we receive here */
1420         if (ares->type == LDB_REPLY_ENTRY) {
1421                 if (ac->dom_res != NULL) {
1422                         ldb_set_errstring(ldb, "Too many results");
1423                         talloc_free(ares);
1424                         return LDB_ERR_OPERATIONS_ERROR;
1425                 }
1426                 ac->dom_res = talloc_steal(ac, ares);
1427         } else {
1428                 talloc_free(ares);
1429         }
1430
1431         return LDB_SUCCESS;
1432 }
1433
1434 static int build_domain_data_request(struct ph_context *ac)
1435 {
1436         /* attrs[] is returned from this function in
1437            ac->dom_req->op.search.attrs, so it must be static, as
1438            otherwise the compiler can put it on the stack */
1439         static const char * const attrs[] = { "pwdProperties", "pwdHistoryLength", NULL };
1440         char *filter;
1441
1442         ac->dom_req = talloc_zero(ac, struct ldb_request);
1443         if (ac->dom_req == NULL) {
1444                 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1445                 return LDB_ERR_OPERATIONS_ERROR;
1446         }
1447         ac->dom_req->operation = LDB_SEARCH;
1448         ac->dom_req->op.search.base = ldb_get_default_basedn(ac->module->ldb);
1449         ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
1450
1451         filter = talloc_asprintf(ac->dom_req,
1452                                  "(&(objectSid=%s)(|(|(objectClass=domain)(objectClass=builtinDomain))(objectClass=samba4LocalDomain)))", 
1453                                  ldap_encode_ndr_dom_sid(ac->dom_req, ac->domain_sid));
1454         if (filter == NULL) {
1455                 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1456                 talloc_free(ac->dom_req);
1457                 return LDB_ERR_OPERATIONS_ERROR;
1458         }
1459
1460         ac->dom_req->op.search.tree = ldb_parse_tree(ac->dom_req, filter);
1461         if (ac->dom_req->op.search.tree == NULL) {
1462                 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1463                 talloc_free(ac->dom_req);
1464                 return LDB_ERR_OPERATIONS_ERROR;
1465         }
1466         ac->dom_req->op.search.attrs = attrs;
1467         ac->dom_req->controls = NULL;
1468         ac->dom_req->context = ac;
1469         ac->dom_req->callback = get_domain_data_callback;
1470         ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->dom_req);
1471
1472         return LDB_SUCCESS;
1473 }
1474
1475 static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx, struct ldb_reply *res)
1476 {
1477         struct domain_data *data;
1478         const char *tmp;
1479         struct ph_context *ac;
1480         char *p;
1481
1482         ac = talloc_get_type(ctx, struct ph_context);
1483
1484         data = talloc_zero(ac, struct domain_data);
1485         if (data == NULL) {
1486                 return NULL;
1487         }
1488
1489         if (res == NULL) {
1490                 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Could not find this user's domain: %s!\n", dom_sid_string(data, ac->domain_sid));
1491                 talloc_free(data);
1492                 return NULL;
1493         }
1494
1495         data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0);
1496         data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
1497         data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
1498
1499         /* For a domain DN, this puts things in dotted notation */
1500         /* For builtin domains, this will give details for the host,
1501          * but that doesn't really matter, as it's just used for salt
1502          * and kerberos principals, which don't exist here */
1503
1504         tmp = ldb_dn_canonical_string(ctx, res->message->dn);
1505         if (!tmp) {
1506                 return NULL;
1507         }
1508         
1509         /* But it puts a trailing (or just before 'builtin') / on things, so kill that */
1510         p = strchr(tmp, '/');
1511         if (p) {
1512                 p[0] = '\0';
1513         }
1514
1515         if (tmp != NULL) {
1516                 data->dns_domain = strlower_talloc(data, tmp);
1517                 if (data->dns_domain == NULL) {
1518                         ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1519                         return NULL;
1520                 }
1521                 data->realm = strupper_talloc(data, tmp);
1522                 if (data->realm == NULL) {
1523                         ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1524                         return NULL;
1525                 }
1526                 p = strchr(tmp, '.');
1527                 if (p) {
1528                         p[0] = '\0';
1529                 }
1530                 data->netbios_domain = strupper_talloc(data, tmp);
1531                 if (data->netbios_domain == NULL) {
1532                         ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
1533                         return NULL;
1534                 }
1535         }
1536
1537         return data;
1538 }
1539
1540 static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
1541 {
1542         struct ldb_handle *h;
1543         struct ph_context *ac;
1544         struct ldb_message_element *sambaAttr;
1545         struct ldb_message_element *ntAttr;
1546         struct ldb_message_element *lmAttr;
1547         int ret;
1548
1549         ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_add\n");
1550
1551         if (ldb_dn_is_special(req->op.add.message->dn)) { /* do not manipulate our control entries */
1552                 return ldb_next_request(module, req);
1553         }
1554
1555         /* If the caller is manipulating the local passwords directly, let them pass */
1556         if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1557                                 req->op.add.message->dn) == 0) {
1558                 return ldb_next_request(module, req);
1559         }
1560
1561         /* nobody must touch this fields */
1562         if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1563                 return LDB_ERR_UNWILLING_TO_PERFORM;
1564         }
1565         if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1566                 return LDB_ERR_UNWILLING_TO_PERFORM;
1567         }
1568         if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1569                 return LDB_ERR_UNWILLING_TO_PERFORM;
1570         }
1571
1572         /* If no part of this ADD touches the userPassword, or the NT
1573          * or LM hashes, then we don't need to make any changes.  */
1574
1575         sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1576         ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1577         lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1578
1579         if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1580                 return ldb_next_request(module, req);
1581         }
1582
1583         /* if it is not an entry of type person its an error */
1584         /* TODO: remove this when userPassword will be in schema */
1585         if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
1586                 ldb_set_errstring(module->ldb, "Cannot set a password on entry that does not have objectClass 'person'");
1587                 return LDB_ERR_OBJECT_CLASS_VIOLATION;
1588         }
1589
1590         /* check userPassword is single valued here */
1591         /* TODO: remove this when userPassword will be single valued in schema */
1592         if (sambaAttr && sambaAttr->num_values > 1) {
1593                 ldb_set_errstring(module->ldb, "mupltiple values for userPassword not allowed!\n");
1594                 return LDB_ERR_CONSTRAINT_VIOLATION;
1595         }
1596
1597         if (ntAttr && (ntAttr->num_values > 1)) {
1598                 ldb_set_errstring(module->ldb, "mupltiple values for unicodePwd not allowed!\n");
1599                 return LDB_ERR_CONSTRAINT_VIOLATION;
1600         }
1601         if (lmAttr && (lmAttr->num_values > 1)) {
1602                 ldb_set_errstring(module->ldb, "mupltiple values for dBCSPwd not allowed!\n");
1603                 return LDB_ERR_CONSTRAINT_VIOLATION;
1604         }
1605
1606         if (sambaAttr && sambaAttr->num_values == 0) {
1607                 ldb_set_errstring(module->ldb, "userPassword must have a value!\n");
1608                 return LDB_ERR_CONSTRAINT_VIOLATION;
1609         }
1610
1611         if (ntAttr && (ntAttr->num_values == 0)) {
1612                 ldb_set_errstring(module->ldb, "unicodePwd must have a value!\n");
1613                 return LDB_ERR_CONSTRAINT_VIOLATION;
1614         }
1615         if (lmAttr && (lmAttr->num_values == 0)) {
1616                 ldb_set_errstring(module->ldb, "dBCSPwd must have a value!\n");
1617                 return LDB_ERR_CONSTRAINT_VIOLATION;
1618         }
1619
1620         h = ph_init_handle(req, module, PH_ADD);
1621         if (!h) {
1622                 return LDB_ERR_OPERATIONS_ERROR;
1623         }
1624         ac = talloc_get_type(h->private_data, struct ph_context);
1625
1626         /* get user domain data */
1627         ac->domain_sid = samdb_result_sid_prefix(ac, req->op.add.message, "objectSid");
1628         if (ac->domain_sid == NULL) {
1629                 ldb_debug(module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1630                 return LDB_ERR_OPERATIONS_ERROR;
1631         }
1632
1633         ret = build_domain_data_request(ac);
1634         if (ret != LDB_SUCCESS) {
1635                 return ret;
1636         }
1637
1638         ac->step = PH_ADD_SEARCH_DOM;
1639
1640         req->handle = h;
1641
1642         return ldb_next_request(module, ac->dom_req);
1643 }
1644
1645 static int password_hash_add_do_add(struct ldb_handle *h) {
1646
1647         struct ph_context *ac;
1648         struct domain_data *domain;
1649         struct smb_krb5_context *smb_krb5_context;
1650         struct ldb_message *msg;
1651         struct setup_password_fields_io io;
1652         int ret;
1653
1654         ac = talloc_get_type(h->private_data, struct ph_context);
1655
1656         domain = get_domain_data(ac->module, ac, ac->dom_res);
1657         if (domain == NULL) {
1658                 return LDB_ERR_OPERATIONS_ERROR;
1659         }
1660
1661         ac->down_req = talloc(ac, struct ldb_request);
1662         if (ac->down_req == NULL) {
1663                 return LDB_ERR_OPERATIONS_ERROR;
1664         }
1665
1666         *(ac->down_req) = *(ac->orig_req);
1667         ac->down_req->op.add.message = msg = ldb_msg_copy_shallow(ac->down_req, ac->orig_req->op.add.message);
1668         if (ac->down_req->op.add.message == NULL) {
1669                 return LDB_ERR_OPERATIONS_ERROR;
1670         }
1671
1672         /* Some operations below require kerberos contexts */
1673         if (smb_krb5_init_context(ac->down_req, 
1674                                   ldb_get_opaque(h->module->ldb, "EventContext"), 
1675                                   (struct loadparm_context *)ldb_get_opaque(h->module->ldb, "loadparm"), 
1676                                   &smb_krb5_context) != 0) {
1677                 return LDB_ERR_OPERATIONS_ERROR;
1678         }
1679
1680         ZERO_STRUCT(io);
1681         io.ac                           = ac;
1682         io.domain                       = domain;
1683         io.smb_krb5_context             = smb_krb5_context;
1684
1685         io.u.user_account_control       = samdb_result_uint(msg, "userAccountControl", 0);
1686         io.u.sAMAccountName             = samdb_result_string(msg, "samAccountName", NULL);
1687         io.u.user_principal_name        = samdb_result_string(msg, "userPrincipalName", NULL);
1688         io.u.is_computer                = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
1689
1690         io.n.cleartext                  = samdb_result_string(msg, "userPassword", NULL);
1691         io.n.nt_hash                    = samdb_result_hash(io.ac, msg, "unicodePwd");
1692         io.n.lm_hash                    = samdb_result_hash(io.ac, msg, "dBCSPwd");
1693
1694         /* remove attributes */
1695         if (io.n.cleartext) ldb_msg_remove_attr(msg, "userPassword");
1696         if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
1697         if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
1698         ldb_msg_remove_attr(msg, "pwdLastSet");
1699         io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
1700         ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
1701
1702         ret = setup_password_fields(&io);
1703         if (ret != LDB_SUCCESS) {
1704                 return ret;
1705         }
1706
1707         if (io.g.nt_hash) {
1708                 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1709                                          "unicodePwd", io.g.nt_hash);
1710                 if (ret != LDB_SUCCESS) {
1711                         return ret;
1712                 }
1713         }
1714         if (io.g.lm_hash) {
1715                 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
1716                                          "dBCSPwd", io.g.lm_hash);
1717                 if (ret != LDB_SUCCESS) {
1718                         return ret;
1719                 }
1720         }
1721         if (io.g.nt_history_len > 0) {
1722                 ret = samdb_msg_add_hashes(ac, msg,
1723                                            "ntPwdHistory",
1724                                            io.g.nt_history,
1725                                            io.g.nt_history_len);
1726                 if (ret != LDB_SUCCESS) {
1727                         return ret;
1728                 }
1729         }
1730         if (io.g.lm_history_len > 0) {
1731                 ret = samdb_msg_add_hashes(ac, msg,
1732                                            "lmPwdHistory",
1733                                            io.g.lm_history,
1734                                            io.g.lm_history_len);
1735                 if (ret != LDB_SUCCESS) {
1736                         return ret;
1737                 }
1738         }
1739         if (io.g.supplemental.length > 0) {
1740                 ret = ldb_msg_add_value(msg, "supplementalCredentials",
1741                                         &io.g.supplemental, NULL);
1742                 if (ret != LDB_SUCCESS) {
1743                         return ret;
1744                 }
1745         }
1746         ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
1747                                    "pwdLastSet",
1748                                    io.g.last_set);
1749         if (ret != LDB_SUCCESS) {
1750                 return ret;
1751         }
1752         ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
1753                                  "msDs-KeyVersionNumber",
1754                                  io.g.kvno);
1755         if (ret != LDB_SUCCESS) {
1756                 return ret;
1757         }
1758
1759         h->state = LDB_ASYNC_INIT;
1760         h->status = LDB_SUCCESS;
1761
1762         ac->step = PH_ADD_DO_ADD;
1763
1764         ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->down_req);
1765
1766         /* perform the operation */
1767         return ldb_next_request(ac->module, ac->down_req);
1768 }
1769
1770 static int password_hash_mod_search_self(struct ldb_handle *h);
1771
1772 static int password_hash_modify(struct ldb_module *module, struct ldb_request *req)
1773 {
1774         struct ldb_handle *h;
1775         struct ph_context *ac;
1776         struct ldb_message_element *sambaAttr;
1777         struct ldb_message_element *ntAttr;
1778         struct ldb_message_element *lmAttr;
1779         struct ldb_message *msg;
1780
1781         ldb_debug(module->ldb, LDB_DEBUG_TRACE, "password_hash_modify\n");
1782
1783         if (ldb_dn_is_special(req->op.mod.message->dn)) { /* do not manipulate our control entries */
1784                 return ldb_next_request(module, req);
1785         }
1786         
1787         /* If the caller is manipulating the local passwords directly, let them pass */
1788         if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
1789                                 req->op.mod.message->dn) == 0) {
1790                 return ldb_next_request(module, req);
1791         }
1792
1793         /* nobody must touch password Histories */
1794         if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
1795                 return LDB_ERR_UNWILLING_TO_PERFORM;
1796         }
1797         if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
1798                 return LDB_ERR_UNWILLING_TO_PERFORM;
1799         }
1800         if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
1801                 return LDB_ERR_UNWILLING_TO_PERFORM;
1802         }
1803
1804         sambaAttr = ldb_msg_find_element(req->op.mod.message, "userPassword");
1805         ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
1806         lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
1807
1808         /* If no part of this touches the userPassword OR unicodePwd and/or dBCSPwd, then we don't
1809          * need to make any changes.  For password changes/set there should
1810          * be a 'delete' or a 'modify' on this attribute. */
1811         if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
1812                 return ldb_next_request(module, req);
1813         }
1814
1815         /* check passwords are single valued here */
1816         /* TODO: remove this when passwords will be single valued in schema */
1817         if (sambaAttr && (sambaAttr->num_values > 1)) {
1818                 return LDB_ERR_CONSTRAINT_VIOLATION;
1819         }
1820         if (ntAttr && (ntAttr->num_values > 1)) {
1821                 return LDB_ERR_CONSTRAINT_VIOLATION;
1822         }
1823         if (lmAttr && (lmAttr->num_values > 1)) {
1824                 return LDB_ERR_CONSTRAINT_VIOLATION;
1825         }
1826
1827         h = ph_init_handle(req, module, PH_MOD);
1828         if (!h) {
1829                 return LDB_ERR_OPERATIONS_ERROR;
1830         }
1831         ac = talloc_get_type(h->private_data, struct ph_context);
1832
1833         /* return or own handle to deal with this call */
1834         req->handle = h;
1835
1836         /* prepare the first operation */
1837         ac->down_req = talloc_zero(ac, struct ldb_request);
1838         if (ac->down_req == NULL) {
1839                 ldb_set_errstring(module->ldb, "Out of memory!");
1840                 return LDB_ERR_OPERATIONS_ERROR;
1841         }
1842
1843         *(ac->down_req) = *req; /* copy the request */
1844
1845         /* use a new message structure so that we can modify it */
1846         ac->down_req->op.mod.message = msg = ldb_msg_copy_shallow(ac->down_req, req->op.mod.message);
1847
1848         /* - remove any imodification to the password from the first commit
1849          *   we will make the real modification later */
1850         if (sambaAttr) ldb_msg_remove_attr(msg, "userPassword");
1851         if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd");
1852         if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd");
1853
1854         /* if there was nothing else to be modify skip to next step */
1855         if (msg->num_elements == 0) {
1856                 talloc_free(ac->down_req);
1857                 ac->down_req = NULL;
1858                 return password_hash_mod_search_self(h);
1859         }
1860         
1861         ac->down_req->context = NULL;
1862         ac->down_req->callback = NULL;
1863
1864         ac->step = PH_MOD_DO_REQ;
1865
1866         ldb_set_timeout_from_prev_req(module->ldb, req, ac->down_req);
1867
1868         return ldb_next_request(module, ac->down_req);
1869 }
1870
1871 static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_reply *ares)
1872 {
1873         struct ph_context *ac;
1874
1875         ac = talloc_get_type(context, struct ph_context);
1876
1877         /* we are interested only in the single reply (base search) we receive here */
1878         if (ares->type == LDB_REPLY_ENTRY) {
1879                 if (ac->search_res != NULL) {
1880                         ldb_set_errstring(ldb, "Too many results");
1881                         talloc_free(ares);
1882                         return LDB_ERR_OPERATIONS_ERROR;
1883                 }
1884
1885                 /* if it is not an entry of type person this is an error */
1886                 /* TODO: remove this when userPassword will be in schema */
1887                 if (!ldb_msg_check_string_attribute(ares->message, "objectClass", "person")) {
1888                         ldb_set_errstring(ldb, "Object class violation");
1889                         talloc_free(ares);
1890                         return LDB_ERR_OBJECT_CLASS_VIOLATION;
1891                 }
1892
1893                 ac->search_res = talloc_steal(ac, ares);
1894         } else {
1895                 talloc_free(ares);
1896         }
1897
1898         return LDB_SUCCESS;
1899 }
1900
1901 static int password_hash_mod_search_self(struct ldb_handle *h) {
1902
1903         struct ph_context *ac;
1904         static const char * const attrs[] = { "userAccountControl", "lmPwdHistory", 
1905                                               "ntPwdHistory", 
1906                                               "objectSid", "msDS-KeyVersionNumber", 
1907                                               "objectClass", "userPrincipalName",
1908                                               "sAMAccountName", 
1909                                               "dBCSPwd", "unicodePwd",
1910                                               "supplementalCredentials",
1911                                               NULL };
1912
1913         ac = talloc_get_type(h->private_data, struct ph_context);
1914
1915         /* prepare the search operation */
1916         ac->search_req = talloc_zero(ac, struct ldb_request);
1917         if (ac->search_req == NULL) {
1918                 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
1919                 return LDB_ERR_OPERATIONS_ERROR;
1920         }
1921
1922         ac->search_req->operation = LDB_SEARCH;
1923         ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
1924         ac->search_req->op.search.scope = LDB_SCOPE_BASE;
1925         ac->search_req->op.search.tree = ldb_parse_tree(ac->search_req, NULL);
1926         if (ac->search_req->op.search.tree == NULL) {
1927                 ldb_set_errstring(ac->module->ldb, "Invalid search filter");
1928                 return LDB_ERR_OPERATIONS_ERROR;
1929         }
1930         ac->search_req->op.search.attrs = attrs;
1931         ac->search_req->controls = NULL;
1932         ac->search_req->context = ac;
1933         ac->search_req->callback = get_self_callback;
1934         ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->search_req);
1935
1936         ac->step = PH_MOD_SEARCH_SELF;
1937
1938         return ldb_next_request(ac->module, ac->search_req);
1939 }
1940
1941 static int password_hash_mod_search_dom(struct ldb_handle *h) {
1942
1943         struct ph_context *ac;
1944         int ret;
1945
1946         ac = talloc_get_type(h->private_data, struct ph_context);
1947
1948         /* get object domain sid */
1949         ac->domain_sid = samdb_result_sid_prefix(ac, ac->search_res->message, "objectSid");
1950         if (ac->domain_sid == NULL) {
1951                 ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "can't handle entry with missing objectSid!\n");
1952                 return LDB_ERR_OPERATIONS_ERROR;
1953         }
1954
1955         /* get user domain data */
1956         ret = build_domain_data_request(ac);
1957         if (ret != LDB_SUCCESS) {
1958                 return ret;
1959         }
1960
1961         ac->step = PH_MOD_SEARCH_DOM;
1962
1963         return ldb_next_request(ac->module, ac->dom_req);
1964 }
1965
1966 static int password_hash_mod_do_mod(struct ldb_handle *h) {
1967
1968         struct ph_context *ac;
1969         struct domain_data *domain;
1970         struct smb_krb5_context *smb_krb5_context;
1971         struct ldb_message *msg;
1972         struct ldb_message *orig_msg;
1973         struct ldb_message *searched_msg;
1974         struct setup_password_fields_io io;
1975         int ret;
1976
1977         ac = talloc_get_type(h->private_data, struct ph_context);
1978
1979         domain = get_domain_data(ac->module, ac, ac->dom_res);
1980         if (domain == NULL) {
1981                 return LDB_ERR_OPERATIONS_ERROR;
1982         }
1983
1984         ac->mod_req = talloc(ac, struct ldb_request);
1985         if (ac->mod_req == NULL) {
1986                 return LDB_ERR_OPERATIONS_ERROR;
1987         }
1988
1989         *(ac->mod_req) = *(ac->orig_req);
1990         
1991         /* use a new message structure so that we can modify it */
1992         ac->mod_req->op.mod.message = msg = ldb_msg_new(ac->mod_req);
1993         if (msg == NULL) {
1994                 return LDB_ERR_OPERATIONS_ERROR;
1995         }
1996
1997         /* modify dn */
1998         msg->dn = ac->orig_req->op.mod.message->dn;
1999
2000         /* Some operations below require kerberos contexts */
2001         if (smb_krb5_init_context(ac->mod_req, 
2002                                   ldb_get_opaque(h->module->ldb, "EventContext"), 
2003                                   (struct loadparm_context *)ldb_get_opaque(h->module->ldb, "loadparm"), 
2004                                   &smb_krb5_context) != 0) {
2005                 return LDB_ERR_OPERATIONS_ERROR;
2006         }
2007
2008         orig_msg        = discard_const(ac->orig_req->op.mod.message);
2009         searched_msg    = ac->search_res->message;
2010
2011         ZERO_STRUCT(io);
2012         io.ac                           = ac;
2013         io.domain                       = domain;
2014         io.smb_krb5_context             = smb_krb5_context;
2015
2016         io.u.user_account_control       = samdb_result_uint(searched_msg, "userAccountControl", 0);
2017         io.u.sAMAccountName             = samdb_result_string(searched_msg, "samAccountName", NULL);
2018         io.u.user_principal_name        = samdb_result_string(searched_msg, "userPrincipalName", NULL);
2019         io.u.is_computer                = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
2020
2021         io.n.cleartext                  = samdb_result_string(orig_msg, "userPassword", NULL);
2022         io.n.nt_hash                    = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
2023         io.n.lm_hash                    = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
2024
2025         io.o.kvno                       = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
2026         io.o.nt_history_len             = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
2027         io.o.lm_history_len             = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
2028         io.o.supplemental               = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
2029
2030         ret = setup_password_fields(&io);
2031         if (ret != LDB_SUCCESS) {
2032                 return ret;
2033         }
2034
2035         /* make sure we replace all the old attributes */
2036         ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
2037         ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
2038         ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
2039         ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
2040         ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
2041         ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
2042         ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
2043
2044         if (io.g.nt_hash) {
2045                 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
2046                                          "unicodePwd", io.g.nt_hash);
2047                 if (ret != LDB_SUCCESS) {
2048                         return ret;
2049                 }
2050         }
2051         if (io.g.lm_hash) {
2052                 ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
2053                                          "dBCSPwd", io.g.lm_hash);
2054                 if (ret != LDB_SUCCESS) {
2055                         return ret;
2056                 }
2057         }
2058         if (io.g.nt_history_len > 0) {
2059                 ret = samdb_msg_add_hashes(ac, msg,
2060                                            "ntPwdHistory",
2061                                            io.g.nt_history,
2062                                            io.g.nt_history_len);
2063                 if (ret != LDB_SUCCESS) {
2064                         return ret;
2065                 }
2066         }
2067         if (io.g.lm_history_len > 0) {
2068                 ret = samdb_msg_add_hashes(ac, msg,
2069                                            "lmPwdHistory",
2070                                            io.g.lm_history,
2071                                            io.g.lm_history_len);
2072                 if (ret != LDB_SUCCESS) {
2073                         return ret;
2074                 }
2075         }
2076         if (io.g.supplemental.length > 0) {
2077                 ret = ldb_msg_add_value(msg, "supplementalCredentials",
2078                                         &io.g.supplemental, NULL);
2079                 if (ret != LDB_SUCCESS) {
2080                         return ret;
2081                 }
2082         }
2083         ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
2084                                    "pwdLastSet",
2085                                    io.g.last_set);
2086         if (ret != LDB_SUCCESS) {
2087                 return ret;
2088         }
2089         ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
2090                                  "msDs-KeyVersionNumber",
2091                                  io.g.kvno);
2092         if (ret != LDB_SUCCESS) {
2093                 return ret;
2094         }
2095
2096         h->state = LDB_ASYNC_INIT;
2097         h->status = LDB_SUCCESS;
2098
2099         ac->step = PH_MOD_DO_MOD;
2100
2101         ldb_set_timeout_from_prev_req(ac->module->ldb, ac->orig_req, ac->mod_req);
2102
2103         /* perform the search */
2104         return ldb_next_request(ac->module, ac->mod_req);
2105 }
2106
2107 static int ph_wait(struct ldb_handle *handle) {
2108         struct ph_context *ac;
2109         int ret;
2110     
2111         if (!handle || !handle->private_data) {
2112                 return LDB_ERR_OPERATIONS_ERROR;
2113         }
2114
2115         if (handle->state == LDB_ASYNC_DONE) {
2116                 return handle->status;
2117         }
2118
2119         handle->state = LDB_ASYNC_PENDING;
2120         handle->status = LDB_SUCCESS;
2121
2122         ac = talloc_get_type(handle->private_data, struct ph_context);
2123
2124         switch (ac->step) {
2125         case PH_ADD_SEARCH_DOM:
2126                 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
2127
2128                 if (ret != LDB_SUCCESS) {
2129                         handle->status = ret;
2130                         goto done;
2131                 }
2132                 if (ac->dom_req->handle->status != LDB_SUCCESS) {
2133                         handle->status = ac->dom_req->handle->status;
2134                         goto done;
2135                 }
2136
2137                 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
2138                         return LDB_SUCCESS;
2139                 }
2140
2141                 /* domain search done, go on */
2142                 return password_hash_add_do_add(handle);
2143
2144         case PH_ADD_DO_ADD:
2145                 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
2146
2147                 if (ret != LDB_SUCCESS) {
2148                         handle->status = ret;
2149                         goto done;
2150                 }
2151                 if (ac->down_req->handle->status != LDB_SUCCESS) {
2152                         handle->status = ac->down_req->handle->status;
2153                         goto done;
2154                 }
2155
2156                 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
2157                         return LDB_SUCCESS;
2158                 }
2159
2160                 break;
2161                 
2162         case PH_MOD_DO_REQ:
2163                 ret = ldb_wait(ac->down_req->handle, LDB_WAIT_NONE);
2164
2165                 if (ret != LDB_SUCCESS) {
2166                         handle->status = ret;
2167                         goto done;
2168                 }
2169                 if (ac->down_req->handle->status != LDB_SUCCESS) {
2170                         handle->status = ac->down_req->handle->status;
2171                         goto done;
2172                 }
2173
2174                 if (ac->down_req->handle->state != LDB_ASYNC_DONE) {
2175                         return LDB_SUCCESS;
2176                 }
2177
2178                 /* non-password mods done, go on */
2179                 return password_hash_mod_search_self(handle);
2180                 
2181         case PH_MOD_SEARCH_SELF:
2182                 ret = ldb_wait(ac->search_req->handle, LDB_WAIT_NONE);
2183
2184                 if (ret != LDB_SUCCESS) {
2185                         handle->status = ret;
2186                         goto done;
2187                 }
2188                 if (ac->search_req->handle->status != LDB_SUCCESS) {
2189                         handle->status = ac->search_req->handle->status;
2190                         goto done;
2191                 }
2192
2193                 if (ac->search_req->handle->state != LDB_ASYNC_DONE) {
2194                         return LDB_SUCCESS;
2195                 }
2196
2197                 if (ac->search_res == NULL) {
2198                         return LDB_ERR_NO_SUCH_OBJECT;
2199                 }
2200
2201                 /* self search done, go on */
2202                 return password_hash_mod_search_dom(handle);
2203                 
2204         case PH_MOD_SEARCH_DOM:
2205                 ret = ldb_wait(ac->dom_req->handle, LDB_WAIT_NONE);
2206
2207                 if (ret != LDB_SUCCESS) {
2208                         handle->status = ret;
2209                         goto done;
2210                 }
2211                 if (ac->dom_req->handle->status != LDB_SUCCESS) {
2212                         handle->status = ac->dom_req->handle->status;
2213                         goto done;
2214                 }
2215
2216                 if (ac->dom_req->handle->state != LDB_ASYNC_DONE) {
2217                         return LDB_SUCCESS;
2218                 }
2219
2220                 /* domain search done, go on */
2221                 return password_hash_mod_do_mod(handle);
2222
2223         case PH_MOD_DO_MOD:
2224                 ret = ldb_wait(ac->mod_req->handle, LDB_WAIT_NONE);
2225
2226                 if (ret != LDB_SUCCESS) {
2227                         handle->status = ret;
2228                         goto done;
2229                 }
2230                 if (ac->mod_req->handle->status != LDB_SUCCESS) {
2231                         handle->status = ac->mod_req->handle->status;
2232                         goto done;
2233                 }
2234
2235                 if (ac->mod_req->handle->state != LDB_ASYNC_DONE) {
2236                         return LDB_SUCCESS;
2237                 }
2238
2239                 break;
2240                 
2241         default:
2242                 ret = LDB_ERR_OPERATIONS_ERROR;
2243                 goto done;
2244         }
2245
2246         ret = LDB_SUCCESS;
2247
2248 done:
2249         handle->state = LDB_ASYNC_DONE;
2250         return ret;
2251 }
2252
2253 static int ph_wait_all(struct ldb_handle *handle) {
2254
2255         int ret;
2256
2257         while (handle->state != LDB_ASYNC_DONE) {
2258                 ret = ph_wait(handle);
2259                 if (ret != LDB_SUCCESS) {
2260                         return ret;
2261                 }
2262         }
2263
2264         return handle->status;
2265 }
2266
2267 static int password_hash_wait(struct ldb_handle *handle, enum ldb_wait_type type)
2268 {
2269         if (type == LDB_WAIT_ALL) {
2270                 return ph_wait_all(handle);
2271         } else {
2272                 return ph_wait(handle);
2273         }
2274 }
2275
2276 _PUBLIC_ const struct ldb_module_ops ldb_password_hash_module_ops = {
2277         .name          = "password_hash",
2278         .add           = password_hash_add,
2279         .modify        = password_hash_modify,
2280         .wait          = password_hash_wait
2281 };
Samba Shared Repository