git.samba.org / samba.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
r25026: Move param/param.h out of includes.h
[samba.git] / source4 / dsdb / samdb / ldb_modules / password_hash.c
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 9bdb9aa0cc56ecc1253c1ad2b82149e4a2a1ecdd..22d04a5519a4a49a242b66d22f2eaaac24c155f6 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -4,10 +4,11 @@
    Copyright (C) Simo Sorce  2004-2006
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
    Copyright (C) Andrew Tridgell 2004
    Copyright (C) Simo Sorce  2004-2006
    Copyright (C) Andrew Bartlett <abartlet@samba.org> 2005-2006
    Copyright (C) Andrew Tridgell 2004
+   Copyright (C) Stefan Metzmacher 2007
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
 
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
-   the Free Software Foundation; either version 2 of the License, or
+   the Free Software Foundation; either version 3 of the License, or
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
    (at your option) any later version.
    
    This program is distributed in the hope that it will be useful,
@@ -16,8 +17,7 @@
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
    GNU General Public License for more details.
    
    You should have received a copy of the GNU General Public License
-   along with this program; if not, write to the Free Software
-   Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
 */
 
 /*
 */
 
 /*
@@ -28,6 +28,7 @@
  *  Description: correctly update hash values based on changes to sambaPassword and friends
  *
  *  Author: Andrew Bartlett
  *  Description: correctly update hash values based on changes to sambaPassword and friends
  *
  *  Author: Andrew Bartlett
+ *  Author: Stefan Metzmacher
  */
 
 #include "includes.h"
  */
 
 #include "includes.h"
@@ -43,8 +44,11 @@
 #include "system/time.h"
 #include "dsdb/samdb/samdb.h"
 #include "dsdb/common/flags.h"
 #include "system/time.h"
 #include "dsdb/samdb/samdb.h"
 #include "dsdb/common/flags.h"
-#include "hdb.h"
 #include "dsdb/samdb/ldb_modules/password_modules.h"
 #include "dsdb/samdb/ldb_modules/password_modules.h"
+#include "librpc/ndr/libndr.h"
+#include "librpc/gen_ndr/ndr_drsblobs.h"
+#include "lib/crypto/crypto.h"
+#include "param/param.h"
 
 /* If we have decided there is reason to work on this request, then
  * setup all the password hash types correctly.
 
 /* If we have decided there is reason to work on this request, then
  * setup all the password hash types correctly.
@@ -56,8 +60,8 @@
  * Once this is done (which could update anything at all), we
  * calculate the password hashes.
  *
  * Once this is done (which could update anything at all), we
  * calculate the password hashes.
  *
- * This function must not only update the ntPwdHash, lmPwdHash and
- * krb5Key fields, it must also atomicly increment the
+ * This function must not only update the unicodePwd, dBCSPwd and
+ * supplementalCredentials fields, it must also atomicly increment the
  * msDS-KeyVersionNumber.  We should be in a transaction, so all this
  * should be quite safe...
  *
  * msDS-KeyVersionNumber.  We should be in a transaction, so all this
  * should be quite safe...
  *
@@ -88,330 +92,1041 @@ struct ph_context {
 };
 
 struct domain_data {
 };
 
 struct domain_data {
+       BOOL store_cleartext;
        uint_t pwdProperties;
        uint_t pwdHistoryLength;
        uint_t pwdProperties;
        uint_t pwdHistoryLength;
+       char *netbios_domain;
        char *dns_domain;
        char *realm;
 };
 
        char *dns_domain;
        char *realm;
 };
 
-static int add_password_hashes(struct ldb_module *module, struct ldb_message *msg, int is_mod)
+struct setup_password_fields_io {
+       struct ph_context *ac;
+       struct domain_data *domain;
+       struct smb_krb5_context *smb_krb5_context;
+
+       /* infos about the user account */
+       struct {
+               uint32_t user_account_control;
+               const char *sAMAccountName;
+               const char *user_principal_name;
+               bool is_computer;
+       } u;
+
+       /* new credentials */
+       struct {
+               const char *cleartext;
+               struct samr_Password *nt_hash;
+               struct samr_Password *lm_hash;
+       } n;
+
+       /* old credentials */
+       struct {
+               uint32_t nt_history_len;
+               struct samr_Password *nt_history;
+               uint32_t lm_history_len;
+               struct samr_Password *lm_history;
+               const struct ldb_val *supplemental;
+               struct supplementalCredentialsBlob scb;
+               uint32_t kvno;
+       } o;
+
+       /* generated credentials */
+       struct {
+               struct samr_Password *nt_hash;
+               struct samr_Password *lm_hash;
+               uint32_t nt_history_len;
+               struct samr_Password *nt_history;
+               uint32_t lm_history_len;
+               struct samr_Password *lm_history;
+               struct ldb_val supplemental;
+               NTTIME last_set;
+               uint32_t kvno;
+       } g;
+};
+
+static int setup_nt_fields(struct setup_password_fields_io *io)
 {
 {
-       const char *sambaPassword;
-       struct samr_Password tmp_hash;
-       
-       sambaPassword = ldb_msg_find_attr_as_string(msg, "sambaPassword", NULL);
-       if (sambaPassword == NULL) { /* impossible, what happened ?! */
+       uint32_t i;
+
+       io->g.nt_hash = io->n.nt_hash;
+
+       if (io->domain->pwdHistoryLength == 0) {
+               return LDB_SUCCESS;
+       }
+
+       /* We might not have an old NT password */
+       io->g.nt_history = talloc_array(io->ac,
+                                       struct samr_Password,
+                                       io->domain->pwdHistoryLength);
+       if (!io->g.nt_history) {
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       if (is_mod) {
-               if (ldb_msg_add_empty(msg, "ntPwdHash", LDB_FLAG_MOD_REPLACE) != 0) {
-                       return LDB_ERR_OPERATIONS_ERROR;
-               }
-               if (ldb_msg_add_empty(msg, "lmPwdHash", LDB_FLAG_MOD_REPLACE) != 0) {
-                       return LDB_ERR_OPERATIONS_ERROR;
-               }
-       }       
+       for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.nt_history_len); i++) {
+               io->g.nt_history[i+1] = io->o.nt_history[i];
+       }
+       io->g.nt_history_len = i + 1;
+
+       if (io->g.nt_hash) {
+               io->g.nt_history[0] = *io->g.nt_hash;
+       } else {
+               /* 
+                * TODO: is this correct?
+                * the simular behavior is correct for the lm history case
+                */
+               E_md4hash("", io->g.nt_history[0].hash);
+       }
+
+       return LDB_SUCCESS;
+}
+
+static int setup_lm_fields(struct setup_password_fields_io *io)
+{
+       uint32_t i;
+
+       io->g.lm_hash = io->n.lm_hash;
 
 
-       /* compute the new nt and lm hashes */
-       E_md4hash(sambaPassword, tmp_hash.hash);
-       if (samdb_msg_add_hash(module->ldb, msg, msg, "ntPwdHash", &tmp_hash) != 0) {
+       if (io->domain->pwdHistoryLength == 0) {
+               return LDB_SUCCESS;
+       }
+
+       /* We might not have an old NT password */
+       io->g.lm_history = talloc_array(io->ac,
+                                       struct samr_Password,
+                                       io->domain->pwdHistoryLength);
+       if (!io->g.lm_history) {
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       if (E_deshash(sambaPassword, tmp_hash.hash)) {
-               if (samdb_msg_add_hash(module->ldb, msg, msg, "lmPwdHash", &tmp_hash) != 0) {
-                       return LDB_ERR_OPERATIONS_ERROR;
-               }
+       for (i = 0; i < MIN(io->domain->pwdHistoryLength-1, io->o.lm_history_len); i++) {
+               io->g.lm_history[i+1] = io->o.lm_history[i];
+       }
+       io->g.lm_history_len = i + 1;
+
+       if (io->g.lm_hash) {
+               io->g.lm_history[0] = *io->g.lm_hash;
+       } else {
+               E_deshash("", io->g.lm_history[0].hash);
        }
 
        return LDB_SUCCESS;
 }
 
        }
 
        return LDB_SUCCESS;
 }
 
-static int add_krb5_keys_from_password(struct ldb_module *module, struct ldb_message *msg,
-                                       struct smb_krb5_context *smb_krb5_context,
-                                       struct domain_data *domain,
-                                       const char *samAccountName,
-                                       const char *user_principal_name,
-                                       int is_computer)
+static int setup_primary_kerberos(struct setup_password_fields_io *io,
+                                 const struct supplementalCredentialsBlob *old_scb,
+                                 struct package_PrimaryKerberosBlob *pkb)
 {
 {
-       const char *sambaPassword;
-       Principal *salt_principal;
        krb5_error_code krb5_ret;
        krb5_error_code krb5_ret;
-       size_t num_keys;
-       Key *keys;
-       int i;
+       Principal *salt_principal;
+       krb5_salt salt;
+       krb5_keyblock key;
+       uint32_t k=0;
+       struct package_PrimaryKerberosCtr3 *pkb3 = &pkb->ctr.ctr3;
+       struct supplementalCredentialsPackage *old_scp = NULL;
+       struct package_PrimaryKerberosBlob _old_pkb;
+       struct package_PrimaryKerberosCtr3 *old_pkb3 = NULL;
+       uint32_t i;
+       NTSTATUS status;
 
        /* Many, many thanks to lukeh@padl.com for this
         * algorithm, described in his Nov 10 2004 mail to
         * samba-technical@samba.org */
 
 
        /* Many, many thanks to lukeh@padl.com for this
         * algorithm, described in his Nov 10 2004 mail to
         * samba-technical@samba.org */
 
-       sambaPassword = ldb_msg_find_attr_as_string(msg, "sambaPassword", NULL);
-       if (sambaPassword == NULL) { /* impossible, what happened ?! */
-               return LDB_ERR_OPERATIONS_ERROR;
-       }
-
-       if (is_computer) {
-               /* Determine a salting principal */
-               char *name = talloc_strdup(msg, samAccountName);
+       /*
+        * Determine a salting principal
+        */
+       if (io->u.is_computer) {
+               char *name;
                char *saltbody;
                char *saltbody;
-               if (name == NULL) {
-                       ldb_asprintf_errstring(module->ldb,
-                                               "password_hash_handle: "
-                                               "generation of new kerberos keys failed: %s is a computer without a samAccountName",
-                                               ldb_dn_linearize(msg, msg->dn));
+
+               name = talloc_strdup(io->ac, io->u.sAMAccountName);
+               if (!name) {
+                       ldb_oom(io->ac->module->ldb);
                        return LDB_ERR_OPERATIONS_ERROR;
                }
                        return LDB_ERR_OPERATIONS_ERROR;
                }
+
                if (name[strlen(name)-1] == '$') {
                        name[strlen(name)-1] = '\0';
                }
                if (name[strlen(name)-1] == '$') {
                        name[strlen(name)-1] = '\0';
                }
-               saltbody = talloc_asprintf(msg, "%s.%s", name, domain->dns_domain);
+
+               saltbody = talloc_asprintf(io->ac, "%s.%s", name, io->domain->dns_domain);
+               if (!saltbody) {
+                       ldb_oom(io->ac->module->ldb);
+                       return LDB_ERR_OPERATIONS_ERROR;
+               }
                
                
-               krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
-                                               &salt_principal,
-                                               domain->realm, "host",
-                                               saltbody, NULL);
-       } else if (user_principal_name) {
+               krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
+                                              &salt_principal,
+                                              io->domain->realm, "host",
+                                              saltbody, NULL);
+       } else if (io->u.user_principal_name) {
+               char *user_principal_name;
                char *p;
                char *p;
-               user_principal_name = talloc_strdup(msg, user_principal_name);
-               if (user_principal_name == NULL) {
-                       return LDB_ERR_OPERATIONS_ERROR;
-               } else {
-                       p = strchr(user_principal_name, '@');
-                       if (p) {
-                               p[0] = '\0';
-                       }
-                       krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
-                                                       &salt_principal,
-                                                       domain->realm, user_principal_name, NULL);
-               } 
-       } else {
-               if (!samAccountName) {
-                       ldb_asprintf_errstring(module->ldb,
-                                               "password_hash_handle: "
-                                               "generation of new kerberos keys failed: %s has no samAccountName",
-                                               ldb_dn_linearize(msg, msg->dn));
+
+               user_principal_name = talloc_strdup(io->ac, io->u.user_principal_name);
+               if (!user_principal_name) {
+                       ldb_oom(io->ac->module->ldb);
                        return LDB_ERR_OPERATIONS_ERROR;
                }
                        return LDB_ERR_OPERATIONS_ERROR;
                }
-               krb5_ret = krb5_make_principal(smb_krb5_context->krb5_context,
-                                               &salt_principal,
-                                               domain->realm, samAccountName,
-                                               NULL);
+
+               p = strchr(user_principal_name, '@');
+               if (p) {
+                       p[0] = '\0';
+               }
+
+               krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
+                                              &salt_principal,
+                                              io->domain->realm, user_principal_name,
+                                              NULL);
+       } else {
+               krb5_ret = krb5_make_principal(io->smb_krb5_context->krb5_context,
+                                              &salt_principal,
+                                              io->domain->realm, io->u.sAMAccountName,
+                                              NULL);
+       }
+       if (krb5_ret) {
+               ldb_asprintf_errstring(io->ac->module->ldb,
+                                      "setup_primary_kerberos: "
+                                      "generation of a salting principal failed: %s",
+                                      smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
+               return LDB_ERR_OPERATIONS_ERROR;
        }
 
        }
 
+       /*
+        * create salt from salt_principal
+        */
+       krb5_ret = krb5_get_pw_salt(io->smb_krb5_context->krb5_context,
+                                   salt_principal, &salt);
+       krb5_free_principal(io->smb_krb5_context->krb5_context, salt_principal);
        if (krb5_ret) {
        if (krb5_ret) {
-               ldb_asprintf_errstring(module->ldb,
-                                       "password_hash_handle: "
-                                       "generation of a saltking principal failed: %s",
-                                       smb_get_krb5_error_message(smb_krb5_context->krb5_context, krb5_ret, msg));
+               ldb_asprintf_errstring(io->ac->module->ldb,
+                                      "setup_primary_kerberos: "
+                                      "generation of krb5_salt failed: %s",
+                                      smb_get_krb5_error_message(io->smb_krb5_context->krb5_context, krb5_ret, io->ac));
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       /* create a talloc copy */
+       pkb3->salt.string = talloc_strndup(io->ac,
+                                         salt.saltvalue.data,
+                                         salt.saltvalue.length);
+       krb5_free_salt(io->smb_krb5_context->krb5_context, salt);
+       if (!pkb3->salt.string) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       salt.saltvalue.data     = discard_const(pkb3->salt.string);
+       salt.saltvalue.length   = strlen(pkb3->salt.string);
+
+       /*
+        * prepare generation of keys
+        *
+        * ENCTYPE_AES256_CTS_HMAC_SHA1_96 (disabled by default)
+        * ENCTYPE_DES_CBC_MD5
+        * ENCTYPE_DES_CBC_CRC
+        *
+        * NOTE: update num_keys when you add another enctype!
+        */
+       pkb3->num_keys  = 3;
+       pkb3->keys      = talloc_array(io->ac, struct package_PrimaryKerberosKey, pkb3->num_keys);
+       if (!pkb3->keys) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       pkb3->unknown3  = talloc_zero_array(io->ac, uint64_t, pkb3->num_keys);
+       if (!pkb3->unknown3) {
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       /* TODO: We may wish to control the encryption types chosen in future */
-       krb5_ret = hdb_generate_key_set_password(smb_krb5_context->krb5_context,
-                                                salt_principal, sambaPassword, &keys, &num_keys);
-       krb5_free_principal(smb_krb5_context->krb5_context, salt_principal);
+       if (lp_parm_bool(-1, "password_hash", "create_aes_key", false)) {
+       /*
+        * TODO:
+        *
+        * w2k and w2k3 doesn't support AES, so we'll not include
+        * the AES key here yet.
+        *
+        * Also we don't have an example supplementalCredentials blob
+        * from Windows Longhorn Server with AES support
+        *
+        */
+       /*
+        * create ENCTYPE_AES256_CTS_HMAC_SHA1_96 key out of
+        * the salt and the cleartext password
+        */
+       krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
+                                          ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+                                          io->n.cleartext,
+                                          salt,
+                                          &key);
+       pkb3->keys[k].keytype   = ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+       pkb3->keys[k].value     = talloc(pkb3->keys, DATA_BLOB);
+       if (!pkb3->keys[k].value) {
+               krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       *pkb3->keys[k].value    = data_blob_talloc(pkb3->keys[k].value,
+                                                  key.keyvalue.data,
+                                                  key.keyvalue.length);
+       krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+       if (!pkb3->keys[k].value->data) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       k++;
+}
 
 
-       if (krb5_ret) {
-               ldb_asprintf_errstring(module->ldb,
-                                       "password_hash_handle: "
-                                       "generation of new kerberos keys failed: %s",
-                                       smb_get_krb5_error_message(smb_krb5_context->krb5_context, krb5_ret, msg));
+       /*
+        * create ENCTYPE_DES_CBC_MD5 key out of
+        * the salt and the cleartext password
+        */
+       krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
+                                          ENCTYPE_DES_CBC_MD5,
+                                          io->n.cleartext,
+                                          salt,
+                                          &key);
+       pkb3->keys[k].keytype   = ENCTYPE_DES_CBC_MD5;
+       pkb3->keys[k].value     = talloc(pkb3->keys, DATA_BLOB);
+       if (!pkb3->keys[k].value) {
+               krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
                return LDB_ERR_OPERATIONS_ERROR;
        }
+       *pkb3->keys[k].value    = data_blob_talloc(pkb3->keys[k].value,
+                                                  key.keyvalue.data,
+                                                  key.keyvalue.length);
+       krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+       if (!pkb3->keys[k].value->data) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       k++;
 
 
-       /* Walking all the key types generated, transform each
-        * key into an ASN.1 blob
+       /*
+        * create ENCTYPE_DES_CBC_CRC key out of
+        * the salt and the cleartext password
         */
         */
-       for (i=0; i < num_keys; i++) {
-               unsigned char *buf;
-               size_t buf_size;
-               size_t len;
-               struct ldb_val val;
-               int ret;
-               
-               if (keys[i].key.keytype == ETYPE_ARCFOUR_HMAC_MD5) {
-                       /* We might end up doing this below:
-                        * This ensures we get the unicode
-                        * conversion right.  This should also
-                        * be fixed in the Heimdal libs */
+       krb5_ret = krb5_string_to_key_salt(io->smb_krb5_context->krb5_context,
+                                          ENCTYPE_DES_CBC_CRC,
+                                          io->n.cleartext,
+                                          salt,
+                                          &key);
+       pkb3->keys[k].keytype   = ENCTYPE_DES_CBC_CRC;
+       pkb3->keys[k].value     = talloc(pkb3->keys, DATA_BLOB);
+       if (!pkb3->keys[k].value) {
+               krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       *pkb3->keys[k].value    = data_blob_talloc(pkb3->keys[k].value,
+                                                  key.keyvalue.data,
+                                                  key.keyvalue.length);
+       krb5_free_keyblock_contents(io->smb_krb5_context->krb5_context, &key);
+       if (!pkb3->keys[k].value->data) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       k++;
+
+       /* fix up key number */
+       pkb3->num_keys = k;
+
+       /* initialize the old keys to zero */
+       pkb3->num_old_keys      = 0;
+       pkb3->old_keys          = NULL;
+       pkb3->unknown3_old      = NULL;
+
+       /* if there're no old keys, then we're done */
+       if (!old_scb) {
+               return LDB_SUCCESS;
+       }
+
+       for (i=0; i < old_scb->sub.num_packages; i++) {
+               if (old_scb->sub.packages[i].unknown1 != 0x00000001) {
+                       continue;
+               }
+
+               if (strcmp("Primary:Kerberos", old_scb->sub.packages[i].name) != 0) {
                        continue;
                }
                        continue;
                }
-               ASN1_MALLOC_ENCODE(Key, buf, buf_size, &keys[i], &len, krb5_ret);
-               if (krb5_ret) {
+
+               if (!old_scb->sub.packages[i].data || !old_scb->sub.packages[i].data[0]) {
+                       continue;
+               }
+
+               old_scp = &old_scb->sub.packages[i];
+               break;
+       }
+       /* Primary:Kerberos element of supplementalCredentials */
+       if (old_scp) {
+               DATA_BLOB blob;
+
+               blob = strhex_to_data_blob(old_scp->data);
+               if (!blob.data) {
+                       ldb_oom(io->ac->module->ldb);
                        return LDB_ERR_OPERATIONS_ERROR;
                }
                        return LDB_ERR_OPERATIONS_ERROR;
                }
-               
-               val.data = talloc_memdup(msg, buf, len);
-               val.length = len;
-               free(buf);
-               if (!val.data || krb5_ret) {
-                       hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
+               talloc_steal(io->ac, blob.data);
+
+               /* TODO: use ndr_pull_struct_blob_all(), when the ndr layer handles it correct with relative pointers */
+               status = ndr_pull_struct_blob(&blob, io->ac, &_old_pkb,
+                                             (ndr_pull_flags_fn_t)ndr_pull_package_PrimaryKerberosBlob);
+               if (!NT_STATUS_IS_OK(status)) {
+                       ldb_asprintf_errstring(io->ac->module->ldb,
+                                              "setup_primary_kerberos: "
+                                              "failed to pull old package_PrimaryKerberosBlob: %s",
+                                              nt_errstr(status));
                        return LDB_ERR_OPERATIONS_ERROR;
                }
                        return LDB_ERR_OPERATIONS_ERROR;
                }
-               ret = ldb_msg_add_value(msg, "krb5Key", &val);
-               if (ret != LDB_SUCCESS) {
-                       hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
-                       return ret;
+
+               if (_old_pkb.version != 3) {
+                       ldb_asprintf_errstring(io->ac->module->ldb,
+                                              "setup_primary_kerberos: "
+                                              "package_PrimaryKerberosBlob version[%u] expected[3]",
+                                              _old_pkb.version);
+                       return LDB_ERR_OPERATIONS_ERROR;
                }
                }
+
+               old_pkb3 = &_old_pkb.ctr.ctr3;
+       }
+
+       /* if we didn't found the old keys we're done */
+       if (!old_pkb3) {
+               return LDB_SUCCESS;
        }
        }
-       
-       hdb_free_keys (smb_krb5_context->krb5_context, num_keys, keys);
+
+       /* fill in the old keys */
+       pkb3->num_old_keys      = old_pkb3->num_keys;
+       pkb3->old_keys          = old_pkb3->keys;
+       pkb3->unknown3_old      = old_pkb3->unknown3;
 
        return LDB_SUCCESS;
 }
 
 
        return LDB_SUCCESS;
 }
 
-static int add_krb5_keys_from_NThash(struct ldb_module *module, struct ldb_message *msg,
-                                       struct smb_krb5_context *smb_krb5_context)
+static int setup_primary_wdigest(struct setup_password_fields_io *io,
+                                const struct supplementalCredentialsBlob *old_scb,
+                                struct package_PrimaryWDigestBlob *pdb)
 {
 {
-       struct samr_Password *ntPwdHash;
-       krb5_error_code krb5_ret;
-       unsigned char *buf;
-       size_t buf_size;
-       size_t len;
-       struct ldb_val val;
-       Key key;
-       
-       key.mkvno = 0;
-       key.salt = NULL; /* No salt for this enc type */
+       DATA_BLOB sAMAccountName;
+       DATA_BLOB sAMAccountName_l;
+       DATA_BLOB sAMAccountName_u;
+       const char *user_principal_name = io->u.user_principal_name;
+       DATA_BLOB userPrincipalName;
+       DATA_BLOB userPrincipalName_l;
+       DATA_BLOB userPrincipalName_u;
+       DATA_BLOB netbios_domain;
+       DATA_BLOB netbios_domain_l;
+       DATA_BLOB netbios_domain_u;
+       DATA_BLOB dns_domain;
+       DATA_BLOB dns_domain_l;
+       DATA_BLOB dns_domain_u;
+       DATA_BLOB cleartext;
+       DATA_BLOB digest;
+       DATA_BLOB delim;
+       DATA_BLOB backslash;
+       uint8_t i;
+       struct {
+               DATA_BLOB *user;
+               DATA_BLOB *realm;
+               DATA_BLOB *nt4dom;
+       } wdigest[] = {
+       /*
+        * See
+        * http://technet2.microsoft.com/WindowsServer/en/library/717b450c-f4a0-4cc9-86f4-cc0633aae5f91033.mspx?mfr=true
+        * for what precalculated hashes are supposed to be stored...
+        *
+        * I can't reproduce all values which should contain "Digest" as realm,
+        * am I doing something wrong or is w2k3 just broken...?
+        *
+        * W2K3 fills in following for a user:
+        *
+        * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
+        * sAMAccountName: NewUser2Sam
+        * userPrincipalName: NewUser2Princ@sub1.w2k3.vmnet1.vm.base
+        *
+        * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
+        * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
+        * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
+        * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
+        * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
+        * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
+        * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
+        * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
+        * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
+        * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
+        * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
+        * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
+        * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
+        * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
+        * 221c55284451ae9b3aacaa2a3c86f10f => NewUser2Princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
+        * 74e1be668853d4324d38c07e2acfb8ea => (w2k3 has a bug here!) newuser2princ@sub1.w2k3.vmnet1.vm.base::TestPwd2007
+        * e1e244ab7f098e3ae1761be7f9229bbb => NEWUSER2PRINC@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
+        * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
+        * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
+        * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
+        * 31dc704d3640335b2123d4ee28aa1f11 => ??? changes with NewUser2Sam => NewUser1Sam
+        * 36349f5cecd07320fb3bb0e119230c43 => ??? changes with NewUser2Sam => NewUser1Sam
+        * 12adf019d037fb535c01fd0608e78d9d => ??? changes with NewUser2Sam => NewUser1Sam
+        * 6feecf8e724906f3ee1105819c5105a1 => ??? changes with NewUser2Princ => NewUser1Princ
+        * 6c6911f3de6333422640221b9c51ff1f => ??? changes with NewUser2Princ => NewUser1Princ
+        * 4b279877e742895f9348ac67a8de2f69 => ??? changes with NewUser2Princ => NewUser1Princ
+        * db0c6bff069513e3ebb9870d29b57490 => ??? changes with NewUser2Sam => NewUser1Sam
+        * 45072621e56b1c113a4e04a8ff68cd0e => ??? changes with NewUser2Sam => NewUser1Sam
+        * 11d1220abc44a9c10cf91ef4a9c1de02 => ??? changes with NewUser2Sam => NewUser1Sam
+        *
+        * dn: CN=NewUser,OU=newtop,DC=sub1,DC=w2k3,DC=vmnet1,DC=vm,DC=base
+        * sAMAccountName: NewUser2Sam
+        *
+        * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
+        * b7ec9da91062199aee7d121e6710fe23 => newuser2sam:sub1:TestPwd2007
+        * 17d290bc5c9f463fac54c37a8cea134d => NEWUSER2SAM:SUB1:TestPwd2007
+        * 4279815024bda54fc074a5f8bd0a6e6f => NewUser2Sam:SUB1:TestPwd2007
+        * 5d57e7823938348127322e08cd81bcb5 => NewUser2Sam:sub1:TestPwd2007
+        * 07dd701bf8a011ece585de3d47237140 => NEWUSER2SAM:sub1:TestPwd2007
+        * e14fb0eb401498d2cb33c9aae1cc7f37 => newuser2sam:SUB1:TestPwd2007
+        * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
+        * f52da1266a6bdd290ffd48b2c823dda7 => newuser2sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
+        * d2b42f171248cec37a3c5c6b55404062 => NEWUSER2SAM:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
+        * fff8d790ff6c152aaeb6ebe17b4021de => NewUser2Sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
+        * 8dadc90250f873d8b883f79d890bef82 => NewUser2Sam:sub1.w2k3.vmnet1.vm.base:TestPwd2007
+        * 2a7563c3715bc418d626dabef378c008 => NEWUSER2SAM:sub1.w2k3.vmnet1.vm.base:TestPwd2007
+        * c8e9557a87cd4200fda0c11d2fa03f96 => newuser2sam:SUB1.W2K3.VMNET1.VM.BASE:TestPwd2007
+        * 8a140d30b6f0a5912735dc1e3bc993b4 => NewUser2Sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
+        * 86d95b2faae6cae4ec261e7fbaccf093 => (here w2k3 is correct) newuser2sam@sub1.w2k3.vmnet1.vm.base::TestPwd2007
+        * dfeff1493110220efcdfc6362e5f5450 => NEWUSER2SAM@SUB1.W2K3.VMNET1.VM.BASE::TestPwd2007
+        * 86db637df42513039920e605499c3af6 => SUB1\NewUser2Sam::TestPwd2007
+        * f5e43474dfaf067fee8197a253debaa2 => sub1\newuser2sam::TestPwd2007
+        * 2ecaa8382e2518e4b77a52422b279467 => SUB1\NEWUSER2SAM::TestPwd2007
+        * 31dc704d3640335b2123d4ee28aa1f11 => ???M1   changes with NewUser2Sam => NewUser1Sam
+        * 36349f5cecd07320fb3bb0e119230c43 => ???M1.L changes with newuser2sam => newuser1sam
+        * 12adf019d037fb535c01fd0608e78d9d => ???M1.U changes with NEWUSER2SAM => NEWUSER1SAM
+        * 569b4533f2d9e580211dd040e5e360a8 => ???M2   changes with NewUser2Princ => NewUser1Princ
+        * 52528bddf310a587c5d7e6a9ae2cbb20 => ???M2.L changes with newuser2princ => newuser1princ
+        * 4f629a4f0361289ca4255ab0f658fcd5 => ???M3 changes with NewUser2Princ => NewUser1Princ (doesn't depend on case of userPrincipal )
+        * db0c6bff069513e3ebb9870d29b57490 => ???M4 changes with NewUser2Sam => NewUser1Sam
+        * 45072621e56b1c113a4e04a8ff68cd0e => ???M5 changes with NewUser2Sam => NewUser1Sam (doesn't depend on case of sAMAccountName)
+        * 11d1220abc44a9c10cf91ef4a9c1de02 => ???M4.U changes with NEWUSER2SAM => NEWUSER1SAM
+        */
 
 
-       ntPwdHash = samdb_result_hash(msg, msg, "ntPwdHash");
-       if (ntPwdHash == NULL) { /* what happened ?! */
+       /*
+        * sAMAccountName, netbios_domain
+        */
+               {
+               .user   = &sAMAccountName,
+               .realm  = &netbios_domain,
+               },
+               {
+               .user   = &sAMAccountName_l,
+               .realm  = &netbios_domain_l,
+               },
+               {
+               .user   = &sAMAccountName_u,
+               .realm  = &netbios_domain_u,
+               },
+               {
+               .user   = &sAMAccountName,
+               .realm  = &netbios_domain_u,
+               },
+               {
+               .user   = &sAMAccountName,
+               .realm  = &netbios_domain_l,
+               },
+               {
+               .user   = &sAMAccountName_u,
+               .realm  = &netbios_domain_l,
+               },
+               {
+               .user   = &sAMAccountName_l,
+               .realm  = &netbios_domain_u,
+               },
+       /* 
+        * sAMAccountName, dns_domain
+        */
+               {
+               .user   = &sAMAccountName,
+               .realm  = &dns_domain,
+               },
+               {
+               .user   = &sAMAccountName_l,
+               .realm  = &dns_domain_l,
+               },
+               {
+               .user   = &sAMAccountName_u,
+               .realm  = &dns_domain_u,
+               },
+               {
+               .user   = &sAMAccountName,
+               .realm  = &dns_domain_u,
+               },
+               {
+               .user   = &sAMAccountName,
+               .realm  = &dns_domain_l,
+               },
+               {
+               .user   = &sAMAccountName_u,
+               .realm  = &dns_domain_l,
+               },
+               {
+               .user   = &sAMAccountName_l,
+               .realm  = &dns_domain_u,
+               },
+       /* 
+        * userPrincipalName, no realm
+        */
+               {
+               .user   = &userPrincipalName,
+               },
+               {
+               /* 
+                * NOTE: w2k3 messes this up, if the user has a real userPrincipalName,
+                *       the fallback to the sAMAccountName based userPrincipalName is correct
+                */
+               .user   = &userPrincipalName_l,
+               },
+               {
+               .user   = &userPrincipalName_u,
+               },
+       /* 
+        * nt4dom\sAMAccountName, no realm
+        */
+               {
+               .user   = &sAMAccountName,
+               .nt4dom = &netbios_domain
+               },
+               {
+               .user   = &sAMAccountName_l,
+               .nt4dom = &netbios_domain_l
+               },
+               {
+               .user   = &sAMAccountName_u,
+               .nt4dom = &netbios_domain_u
+               },
+
+       /*
+        * the following ones are guessed depending on the technet2 article
+        * but not reproducable on a w2k3 server
+        */
+       /* sAMAccountName with "Digest" realm */
+               {
+               .user   = &sAMAccountName,
+               .realm  = &digest
+               },
+               {
+               .user   = &sAMAccountName_l,
+               .realm  = &digest
+               },
+               {
+               .user   = &sAMAccountName_u,
+               .realm  = &digest
+               },
+       /* userPrincipalName with "Digest" realm */
+               {
+               .user   = &userPrincipalName,
+               .realm  = &digest
+               },
+               {
+               .user   = &userPrincipalName_l,
+               .realm  = &digest
+               },
+               {
+               .user   = &userPrincipalName_u,
+               .realm  = &digest
+               },
+       /* nt4dom\\sAMAccountName with "Digest" realm */
+               {
+               .user   = &sAMAccountName,
+               .nt4dom = &netbios_domain,
+               .realm  = &digest
+               },
+               {
+               .user   = &sAMAccountName_l,
+               .nt4dom = &netbios_domain_l,
+               .realm  = &digest
+               },
+               {
+               .user   = &sAMAccountName_u,
+               .nt4dom = &netbios_domain_u,
+               .realm  = &digest
+               },
+       };
+
+       /* prepare DATA_BLOB's used in the combinations array */
+       sAMAccountName          = data_blob_string_const(io->u.sAMAccountName);
+       sAMAccountName_l        = data_blob_string_const(strlower_talloc(io->ac, io->u.sAMAccountName));
+       if (!sAMAccountName_l.data) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       sAMAccountName_u        = data_blob_string_const(strupper_talloc(io->ac, io->u.sAMAccountName));
+       if (!sAMAccountName_u.data) {
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       krb5_ret = krb5_keyblock_init(smb_krb5_context->krb5_context,
-                                     ETYPE_ARCFOUR_HMAC_MD5,
-                                     ntPwdHash->hash, sizeof(ntPwdHash->hash), 
-                                     &key.key);
-       if (krb5_ret) {
+       /* if the user doesn't have a userPrincipalName, create one (with lower case realm) */
+       if (!user_principal_name) {
+               user_principal_name = talloc_asprintf(io->ac, "%s@%s",
+                                                     io->u.sAMAccountName,
+                                                     io->domain->dns_domain);
+               if (!user_principal_name) {
+                       ldb_oom(io->ac->module->ldb);
+                       return LDB_ERR_OPERATIONS_ERROR;
+               }       
+       }
+       userPrincipalName       = data_blob_string_const(user_principal_name);
+       userPrincipalName_l     = data_blob_string_const(strlower_talloc(io->ac, user_principal_name));
+       if (!userPrincipalName_l.data) {
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
                return LDB_ERR_OPERATIONS_ERROR;
        }
-       ASN1_MALLOC_ENCODE(Key, buf, buf_size, &key, &len, krb5_ret);
-       if (krb5_ret) {
+       userPrincipalName_u     = data_blob_string_const(strupper_talloc(io->ac, user_principal_name));
+       if (!userPrincipalName_u.data) {
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
                return LDB_ERR_OPERATIONS_ERROR;
        }
-       krb5_free_keyblock_contents(smb_krb5_context->krb5_context,
-                                   &key.key);
-       
-       val.data = talloc_memdup(msg, buf, len);
-       val.length = len;
-       free(buf);
-       if (!val.data) {
+
+       netbios_domain          = data_blob_string_const(io->domain->netbios_domain);
+       netbios_domain_l        = data_blob_string_const(strlower_talloc(io->ac, io->domain->netbios_domain));
+       if (!netbios_domain_l.data) {
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
                return LDB_ERR_OPERATIONS_ERROR;
        }
-       if (ldb_msg_add_value(msg, "krb5Key", &val) != 0) {
+       netbios_domain_u        = data_blob_string_const(strupper_talloc(io->ac, io->domain->netbios_domain));
+       if (!netbios_domain_u.data) {
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
+       dns_domain              = data_blob_string_const(io->domain->dns_domain);
+       dns_domain_l            = data_blob_string_const(io->domain->dns_domain);
+       dns_domain_u            = data_blob_string_const(io->domain->realm);
+
+       cleartext               = data_blob_string_const(io->n.cleartext);
+
+       digest                  = data_blob_string_const("Digest");
+
+       delim                   = data_blob_string_const(":");
+       backslash               = data_blob_string_const("\\");
+
+       pdb->num_hashes = ARRAY_SIZE(wdigest);
+       pdb->hashes     = talloc_array(io->ac, struct package_PrimaryWDigestHash, pdb->num_hashes);
+       if (!pdb->hashes) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+
+       for (i=0; i < ARRAY_SIZE(wdigest); i++) {
+               struct MD5Context md5;
+               MD5Init(&md5);
+               if (wdigest[i].nt4dom) {
+                       MD5Update(&md5, wdigest[i].nt4dom->data, wdigest[i].nt4dom->length);
+                       MD5Update(&md5, backslash.data, backslash.length);
+               }
+               MD5Update(&md5, wdigest[i].user->data, wdigest[i].user->length);
+               MD5Update(&md5, delim.data, delim.length);
+               if (wdigest[i].realm) {
+                       MD5Update(&md5, wdigest[i].realm->data, wdigest[i].realm->length);
+               }
+               MD5Update(&md5, delim.data, delim.length);
+               MD5Update(&md5, cleartext.data, cleartext.length);
+               MD5Final(pdb->hashes[i].hash, &md5);
+       }
+
        return LDB_SUCCESS;
 }
 
        return LDB_SUCCESS;
 }
 
-static int set_pwdLastSet(struct ldb_module *module, struct ldb_message *msg, int is_mod)
+static int setup_supplemental_field(struct setup_password_fields_io *io)
 {
 {
-       NTTIME now_nt;
+       struct supplementalCredentialsBlob scb;
+       struct supplementalCredentialsBlob _old_scb;
+       struct supplementalCredentialsBlob *old_scb = NULL;
+       /* Packages + (Kerberos, WDigest and maybe CLEARTEXT) */
+       uint32_t num_packages = 1 + 2;
+       struct supplementalCredentialsPackage packages[1+3];
+       struct supplementalCredentialsPackage *pp = &packages[0];
+       struct supplementalCredentialsPackage *pk = &packages[1];
+       struct supplementalCredentialsPackage *pd = &packages[2];
+       struct supplementalCredentialsPackage *pc = NULL;
+       struct package_PackagesBlob pb;
+       DATA_BLOB pb_blob;
+       char *pb_hexstr;
+       struct package_PrimaryKerberosBlob pkb;
+       DATA_BLOB pkb_blob;
+       char *pkb_hexstr;
+       struct package_PrimaryWDigestBlob pdb;
+       DATA_BLOB pdb_blob;
+       char *pdb_hexstr;
+       struct package_PrimaryCLEARTEXTBlob pcb;
+       DATA_BLOB pcb_blob;
+       char *pcb_hexstr;
+       int ret;
+       NTSTATUS status;
+       uint8_t zero16[16];
+
+       ZERO_STRUCT(zero16);
+
+       if (!io->n.cleartext) {
+               /* 
+                * when we don't have a cleartext password
+                * we can't setup a supplementalCredential value
+                */
+               return LDB_SUCCESS;
+       }
+
+       /* if there's an old supplementaCredentials blob then parse it */
+       if (io->o.supplemental) {
+               status = ndr_pull_struct_blob_all(io->o.supplemental, io->ac, &_old_scb,
+                                                 (ndr_pull_flags_fn_t)ndr_pull_supplementalCredentialsBlob);
+               if (!NT_STATUS_IS_OK(status)) {
+                       ldb_asprintf_errstring(io->ac->module->ldb,
+                                              "setup_supplemental_field: "
+                                              "failed to pull old supplementalCredentialsBlob: %s",
+                                              nt_errstr(status));
+                       return LDB_ERR_OPERATIONS_ERROR;
+               }
 
 
-       /* set it as now */
-       unix_to_nt_time(&now_nt, time(NULL));
+               old_scb = &_old_scb;
+       }
+
+       if (io->domain->store_cleartext &&
+           (io->u.user_account_control & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED)) {
+               pc = &packages[3];
+               num_packages++;
+       }
+
+       /* Kerberos, WDigest, CLEARTEXT and termination(counted by the Packages element) */
+       pb.names = talloc_zero_array(io->ac, const char *, num_packages);
+
+       /*
+        * setup 'Primary:Kerberos' element
+        */
+       pb.names[0] = "Kerberos";
+
+       ret = setup_primary_kerberos(io, old_scb, &pkb);
+       if (ret != LDB_SUCCESS) {
+               return ret;
+       }
 
 
-       if (!is_mod) {
-               /* be sure there isn't a 0 value set (eg. coming from the template) */
-               ldb_msg_remove_attr(msg, "pwdLastSet");
-               /* add */
-               if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_ADD) != 0) {
+       status = ndr_push_struct_blob(&pkb_blob, io->ac, &pkb,
+                                     (ndr_push_flags_fn_t)ndr_push_package_PrimaryKerberosBlob);
+       if (!NT_STATUS_IS_OK(status)) {
+               ldb_asprintf_errstring(io->ac->module->ldb,
+                                      "setup_supplemental_field: "
+                                      "failed to push package_PrimaryKerberosBlob: %s",
+                                      nt_errstr(status));
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       /*
+        * TODO:
+        *
+        * This is ugly, but we want to generate the same blob as
+        * w2k and w2k3...we should handle this in the idl
+        */
+       if (!data_blob_append(io->ac, &pkb_blob, zero16, sizeof(zero16))) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       pkb_hexstr = data_blob_hex_string(io->ac, &pkb_blob);
+       if (!pkb_hexstr) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       pk->name        = "Primary:Kerberos";
+       pk->unknown1    = 1;
+       pk->data        = pkb_hexstr;
+
+       /*
+        * setup 'Primary:WDigest' element
+        */
+       pb.names[1] = "WDigest";
+
+       ret = setup_primary_wdigest(io, old_scb, &pdb);
+       if (ret != LDB_SUCCESS) {
+               return ret;
+       }
+
+       status = ndr_push_struct_blob(&pdb_blob, io->ac, &pdb,
+                                     (ndr_push_flags_fn_t)ndr_push_package_PrimaryWDigestBlob);
+       if (!NT_STATUS_IS_OK(status)) {
+               ldb_asprintf_errstring(io->ac->module->ldb,
+                                      "setup_supplemental_field: "
+                                      "failed to push package_PrimaryWDigestBlob: %s",
+                                      nt_errstr(status));
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       pdb_hexstr = data_blob_hex_string(io->ac, &pdb_blob);
+       if (!pdb_hexstr) {
+               ldb_oom(io->ac->module->ldb);
+               return LDB_ERR_OPERATIONS_ERROR;
+       }
+       pd->name        = "Primary:WDigest";
+       pd->unknown1    = 1;
+       pd->data        = pdb_hexstr;
+
+       /*
+        * setup 'Primary:CLEARTEXT' element
+        */
+       if (pc) {
+               pb.names[2]     = "CLEARTEXT";
+
+               pcb.cleartext   = io->n.cleartext;
+
+               status = ndr_push_struct_blob(&pcb_blob, io->ac, &pcb,
+                                             (ndr_push_flags_fn_t)ndr_push_package_PrimaryCLEARTEXTBlob);
+               if (!NT_STATUS_IS_OK(status)) {
+                       ldb_asprintf_errstring(io->ac->module->ldb,
+                                              "setup_supplemental_field: "
+                                              "failed to push package_PrimaryCLEARTEXTBlob: %s",
+                                              nt_errstr(status));
                        return LDB_ERR_OPERATIONS_ERROR;
                }
                        return LDB_ERR_OPERATIONS_ERROR;
                }
-       } else {
-               /* replace */
-               if (ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE) != 0) {
+               pcb_hexstr = data_blob_hex_string(io->ac, &pcb_blob);
+               if (!pcb_hexstr) {
+                       ldb_oom(io->ac->module->ldb);
                        return LDB_ERR_OPERATIONS_ERROR;
                }
                        return LDB_ERR_OPERATIONS_ERROR;
                }
+               pc->name        = "Primary:CLEARTEXT";
+               pc->unknown1    = 1;
+               pc->data        = pcb_hexstr;
        }
 
        }
 
-       if (samdb_msg_add_uint64(module->ldb, msg, msg, "pwdLastSet", now_nt) != 0) {
+       /*
+        * setup 'Packages' element
+        */
+       status = ndr_push_struct_blob(&pb_blob, io->ac, &pb,
+                                     (ndr_push_flags_fn_t)ndr_push_package_PackagesBlob);
+       if (!NT_STATUS_IS_OK(status)) {
+               ldb_asprintf_errstring(io->ac->module->ldb,
+                                      "setup_supplemental_field: "
+                                      "failed to push package_PackagesBlob: %s",
+                                      nt_errstr(status));
                return LDB_ERR_OPERATIONS_ERROR;
        }
                return LDB_ERR_OPERATIONS_ERROR;
        }
-
-       return LDB_SUCCESS;
-}
-
-static int add_keyVersionNumber(struct ldb_module *module, struct ldb_message *msg, int previous)
-{
-       /* replace or add */
-       if (ldb_msg_add_empty(msg, "msDS-KeyVersionNumber", LDB_FLAG_MOD_REPLACE) != 0) {
+       pb_hexstr = data_blob_hex_string(io->ac, &pb_blob);
+       if (!pb_hexstr) {
+               ldb_oom(io->ac->module->ldb);
                return LDB_ERR_OPERATIONS_ERROR;
        }
                return LDB_ERR_OPERATIONS_ERROR;
        }
+       pp->name        = "Packages";
+       pp->unknown1    = 2;
+       pp->data        = pb_hexstr;
 
 
-       if (samdb_msg_add_uint(module->ldb, msg, msg, "msDS-KeyVersionNumber", previous+1) != 0) {
+       /*
+        * setup 'supplementalCredentials' value
+        */
+       scb.sub.num_packages    = num_packages;
+       scb.sub.packages        = packages;
+
+       status = ndr_push_struct_blob(&io->g.supplemental, io->ac, &scb,
+                                     (ndr_push_flags_fn_t)ndr_push_supplementalCredentialsBlob);
+       if (!NT_STATUS_IS_OK(status)) {
+               ldb_asprintf_errstring(io->ac->module->ldb,
+                                      "setup_supplemental_field: "
+                                      "failed to push supplementalCredentialsBlob: %s",
+                                      nt_errstr(status));
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
        return LDB_SUCCESS;
 }
 
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
        return LDB_SUCCESS;
 }
 
-static int setPwdHistory(struct ldb_module *module, struct ldb_message *msg, struct ldb_message *old_msg, int hlen)
+static int setup_last_set_field(struct setup_password_fields_io *io)
 {
 {
-       struct samr_Password *nt_hash;
-       struct samr_Password *lm_hash;
-       struct samr_Password *nt_history;
-       struct samr_Password *lm_history;
-       struct samr_Password *new_nt_history;
-       struct samr_Password *new_lm_history;
-       int nt_hist_len;
-       int lm_hist_len;
-       int i;
+       /* set it as now */
+       unix_to_nt_time(&io->g.last_set, time(NULL));
 
 
-       nt_hash = samdb_result_hash(msg, old_msg, "ntPwdHash");
-       lm_hash = samdb_result_hash(msg, old_msg, "lmPwdHash");
+       return LDB_SUCCESS;
+}
 
 
-       /* if no previous passwords just return */
-       if (nt_hash == NULL && lm_hash == NULL) return LDB_SUCCESS;
+static int setup_kvno_field(struct setup_password_fields_io *io)
+{
+       /* increment by one */
+       io->g.kvno = io->o.kvno + 1;
 
 
-       nt_hist_len = samdb_result_hashes(msg, old_msg, "sambaNTPwdHistory", &nt_history);
-       lm_hist_len = samdb_result_hashes(msg, old_msg, "sambaLMPwdHistory", &lm_history);
+       return LDB_SUCCESS;
+}
 
 
-       /* We might not have an old NT password */
-       new_nt_history = talloc_array(msg, struct samr_Password, hlen);
-       if (new_nt_history == NULL) {
-               return LDB_ERR_OPERATIONS_ERROR;
-       }
-       for (i = 0; i < MIN(hlen-1, nt_hist_len); i++) {
-               new_nt_history[i+1] = nt_history[i];
-       }
-       nt_hist_len = i + 1;
-       if (nt_hash) {
-               new_nt_history[0] = *nt_hash;
-       } else {
-               ZERO_STRUCT(new_nt_history[0]);
+static int setup_password_fields(struct setup_password_fields_io *io)
+{
+       bool ok;
+       int ret;
+
+       /*
+        * refuse the change if someone want to change the cleartext
+        * and supply his own hashes at the same time...
+        */
+       if (io->n.cleartext && (io->n.nt_hash || io->n.lm_hash)) {
+               ldb_asprintf_errstring(io->ac->module->ldb,
+                                      "setup_password_fields: "
+                                      "it's only allowed to set the cleartext password or the password hashes");
+               return LDB_ERR_UNWILLING_TO_PERFORM;
        }
        }
-       if (ldb_msg_add_empty(msg, "sambaNTPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) {
-               return LDB_ERR_OPERATIONS_ERROR;
+
+       if (io->n.cleartext && !io->n.nt_hash) {
+               struct samr_Password *hash;
+
+               hash = talloc(io->ac, struct samr_Password);
+               if (!hash) {
+                       ldb_oom(io->ac->module->ldb);
+                       return LDB_ERR_OPERATIONS_ERROR;
+               }
+
+               /* compute the new nt hash */
+               ok = E_md4hash(io->n.cleartext, hash->hash);
+               if (ok) {
+                       io->n.nt_hash = hash;
+               } else {
+                       ldb_asprintf_errstring(io->ac->module->ldb,
+                                              "setup_password_fields: "
+                                              "failed to generate nthash from cleartext password");
+                       return LDB_ERR_OPERATIONS_ERROR;
+               }
        }
        }
-       if (samdb_msg_add_hashes(msg, msg, "sambaNTPwdHistory", new_nt_history, nt_hist_len) != LDB_SUCCESS) {
-               return LDB_ERR_OPERATIONS_ERROR;
+
+       if (io->n.cleartext && !io->n.lm_hash) {
+               struct samr_Password *hash;
+
+               hash = talloc(io->ac, struct samr_Password);
+               if (!hash) {
+                       ldb_oom(io->ac->module->ldb);
+                       return LDB_ERR_OPERATIONS_ERROR;
+               }
+
+               /* compute the new lm hash */
+               ok = E_deshash(io->n.cleartext, hash->hash);
+               if (ok) {
+                       io->n.lm_hash = hash;
+               } else {
+                       talloc_free(hash->hash);
+               }
        }
        }
-               
 
 
-       /* Don't store 'long' passwords in the LM history, 
-          but make sure to 'expire' one password off the other end */
-       new_lm_history = talloc_array(msg, struct samr_Password, hlen);
-       if (new_lm_history == NULL) {
-               return LDB_ERR_OPERATIONS_ERROR;
+       ret = setup_nt_fields(io);
+       if (ret != 0) {
+               return ret;
        }
        }
-       for (i = 0; i < MIN(hlen-1, lm_hist_len); i++) {
-               new_lm_history[i+1] = lm_history[i];
+
+       ret = setup_lm_fields(io);
+       if (ret != 0) {
+               return ret;
        }
        }
-       lm_hist_len = i + 1;
-       if (lm_hash) {
-               new_lm_history[0] = *lm_hash;
-       } else {
-               ZERO_STRUCT(new_lm_history[0]);
+
+       ret = setup_supplemental_field(io);
+       if (ret != 0) {
+               return ret;
        }
        }
-       if (ldb_msg_add_empty(msg, "sambaLMPwdHistory", LDB_FLAG_MOD_REPLACE) != LDB_SUCCESS) {
-               return LDB_ERR_OPERATIONS_ERROR;
+
+       ret = setup_last_set_field(io);
+       if (ret != 0) {
+               return ret;
        }
        }
-       if (samdb_msg_add_hashes(msg, msg, "sambaLMPwdHistory", new_lm_history, lm_hist_len) != LDB_SUCCESS) {
-               return LDB_ERR_OPERATIONS_ERROR;
+
+       ret = setup_kvno_field(io);
+       if (ret != 0) {
+               return ret;
        }
 
        return LDB_SUCCESS;
        }
 
        return LDB_SUCCESS;
@@ -453,11 +1168,6 @@ static int get_domain_data_callback(struct ldb_context *ldb, void *context, stru
 {
        struct ph_context *ac;
 
 {
        struct ph_context *ac;
 
-       if (!context || !ares) {
-               ldb_set_errstring(ldb, "NULL Context or Result in callback");
-               return LDB_ERR_OPERATIONS_ERROR;
-       }
-
        ac = talloc_get_type(context, struct ph_context);
 
        /* we are interested only in the single reply (base search) we receive here */
        ac = talloc_get_type(context, struct ph_context);
 
        /* we are interested only in the single reply (base search) we receive here */
@@ -500,7 +1210,7 @@ static int build_domain_data_request(struct ph_context *ac)
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       ac->dom_req->op.search.tree = ldb_parse_tree(ac->module->ldb, filter);
+       ac->dom_req->op.search.tree = ldb_parse_tree(ac->dom_req, filter);
        if (ac->dom_req->op.search.tree == NULL) {
                ldb_set_errstring(ac->module->ldb, "Invalid search filter");
                talloc_free(ac->dom_req);
        if (ac->dom_req->op.search.tree == NULL) {
                ldb_set_errstring(ac->module->ldb, "Invalid search filter");
                talloc_free(ac->dom_req);
@@ -535,7 +1245,8 @@ static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx,
                return NULL;
        }
 
                return NULL;
        }
 
-       data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0);
+       data->pwdProperties= samdb_result_uint(res->message, "pwdProperties", 0);
+       data->store_cleartext = data->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT;
        data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
 
        /* For a domain DN, this puts things in dotted notation */
        data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
 
        /* For a domain DN, this puts things in dotted notation */
@@ -565,6 +1276,15 @@ static struct domain_data *get_domain_data(struct ldb_module *module, void *ctx,
                        ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
                        return NULL;
                }
                        ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
                        return NULL;
                }
+               p = strchr(tmp, '.');
+               if (p) {
+                       p[0] = '\0';
+               }
+               data->netbios_domain = strupper_talloc(data, tmp);
+               if (data->netbios_domain == NULL) {
+                       ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Out of memory!\n");
+                       return NULL;
+               }
        }
 
        return data;
        }
 
        return data;
@@ -586,15 +1306,19 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
        }
 
        /* If the caller is manipulating the local passwords directly, let them pass */
        }
 
        /* If the caller is manipulating the local passwords directly, let them pass */
-       if (ldb_dn_compare_base(module->ldb, 
-                               ldb_dn_explode(req, LOCAL_BASE),
+       if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
                                req->op.add.message->dn) == 0) {
                return ldb_next_request(module, req);
        }
 
                                req->op.add.message->dn) == 0) {
                return ldb_next_request(module, req);
        }
 
-       /* nobody must touch password Histories */
-       if (ldb_msg_find_element(req->op.add.message, "sambaNTPwdHistory") ||
-           ldb_msg_find_element(req->op.add.message, "sambaLMPwdHistory")) {
+       /* nobody must touch this fields */
+       if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+       if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+       if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
                return LDB_ERR_UNWILLING_TO_PERFORM;
        }
 
                return LDB_ERR_UNWILLING_TO_PERFORM;
        }
 
@@ -602,8 +1326,8 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
         * or LM hashes, then we don't need to make any changes.  */
 
        sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
         * or LM hashes, then we don't need to make any changes.  */
 
        sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
-       ntAttr = ldb_msg_find_element(req->op.mod.message, "ntPwdHash");
-       lmAttr = ldb_msg_find_element(req->op.mod.message, "lmPwdHash");
+       ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
+       lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
 
        if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
                return ldb_next_request(module, req);
 
        if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
                return ldb_next_request(module, req);
@@ -624,11 +1348,25 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
        }
 
        if (ntAttr && (ntAttr->num_values > 1)) {
        }
 
        if (ntAttr && (ntAttr->num_values > 1)) {
-               ldb_set_errstring(module->ldb, "mupltiple values for lmPwdHash not allowed!\n");
+               ldb_set_errstring(module->ldb, "mupltiple values for unicodePwd not allowed!\n");
                return LDB_ERR_CONSTRAINT_VIOLATION;
        }
        if (lmAttr && (lmAttr->num_values > 1)) {
                return LDB_ERR_CONSTRAINT_VIOLATION;
        }
        if (lmAttr && (lmAttr->num_values > 1)) {
-               ldb_set_errstring(module->ldb, "mupltiple values for lmPwdHash not allowed!\n");
+               ldb_set_errstring(module->ldb, "mupltiple values for dBCSPwd not allowed!\n");
+               return LDB_ERR_CONSTRAINT_VIOLATION;
+       }
+
+       if (sambaAttr && sambaAttr->num_values == 0) {
+               ldb_set_errstring(module->ldb, "sambaPassword must have a value!\n");
+               return LDB_ERR_CONSTRAINT_VIOLATION;
+       }
+
+       if (ntAttr && (ntAttr->num_values == 0)) {
+               ldb_set_errstring(module->ldb, "unicodePwd must have a value!\n");
+               return LDB_ERR_CONSTRAINT_VIOLATION;
+       }
+       if (lmAttr && (lmAttr->num_values == 0)) {
+               ldb_set_errstring(module->ldb, "dBCSPwd must have a value!\n");
                return LDB_ERR_CONSTRAINT_VIOLATION;
        }
 
                return LDB_ERR_CONSTRAINT_VIOLATION;
        }
 
@@ -662,8 +1400,8 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
        struct ph_context *ac;
        struct domain_data *domain;
        struct smb_krb5_context *smb_krb5_context;
        struct ph_context *ac;
        struct domain_data *domain;
        struct smb_krb5_context *smb_krb5_context;
-       struct ldb_message_element *sambaAttr;
        struct ldb_message *msg;
        struct ldb_message *msg;
+       struct setup_password_fields_io io;
        int ret;
 
        ac = talloc_get_type(h->private_data, struct ph_context);
        int ret;
 
        ac = talloc_get_type(h->private_data, struct ph_context);
@@ -685,55 +1423,90 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
        }
 
        /* Some operations below require kerberos contexts */
        }
 
        /* Some operations below require kerberos contexts */
-       if (smb_krb5_init_context(ac->down_req, &smb_krb5_context) != 0) {
+       if (smb_krb5_init_context(ac->down_req, 
+                                 ldb_get_opaque(h->module->ldb, "EventContext"), 
+                                 &smb_krb5_context) != 0) {
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       /* if we have sambaPassword in the original message add the operatio on it here */
-       sambaAttr = ldb_msg_find_element(msg, "sambaPassword");
-       if (sambaAttr) {
-               ret = add_password_hashes(ac->module, msg, 0);
-               /* we can compute new password hashes from the unicode password */
+       ZERO_STRUCT(io);
+       io.ac                           = ac;
+       io.domain                       = domain;
+       io.smb_krb5_context             = smb_krb5_context;
+
+       io.u.user_account_control       = samdb_result_uint(msg, "userAccountControl", 0);
+       io.u.sAMAccountName             = samdb_result_string(msg, "samAccountName", NULL);
+       io.u.user_principal_name        = samdb_result_string(msg, "userPrincipalName", NULL);
+       io.u.is_computer                = ldb_msg_check_string_attribute(msg, "objectClass", "computer");
+
+       io.n.cleartext                  = samdb_result_string(msg, "sambaPassword", NULL);
+       io.n.nt_hash                    = samdb_result_hash(io.ac, msg, "unicodePwd");
+       io.n.lm_hash                    = samdb_result_hash(io.ac, msg, "dBCSPwd");
+
+       /* remove attributes */
+       if (io.n.cleartext) ldb_msg_remove_attr(msg, "sambaPassword");
+       if (io.n.nt_hash) ldb_msg_remove_attr(msg, "unicodePwd");
+       if (io.n.lm_hash) ldb_msg_remove_attr(msg, "dBCSPwd");
+       ldb_msg_remove_attr(msg, "pwdLastSet");
+       io.o.kvno = samdb_result_uint(msg, "msDs-KeyVersionNumber", 1) - 1;
+       ldb_msg_remove_attr(msg, "msDs-KeyVersionNumber");
+
+       ret = setup_password_fields(&io);
+       if (ret != LDB_SUCCESS) {
+               return ret;
+       }
+
+       if (io.g.nt_hash) {
+               ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
+                                        "unicodePwd", io.g.nt_hash);
                if (ret != LDB_SUCCESS) {
                        return ret;
                }
                if (ret != LDB_SUCCESS) {
                        return ret;
                }
-               
-               /* now add krb5 keys based on unicode password */
-               ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
-                                                 ldb_msg_find_attr_as_string(msg, "samAccountName", NULL),
-                                                 ldb_msg_find_attr_as_string(msg, "userPrincipalName", NULL),
-                                                 ldb_msg_check_string_attribute(msg, "objectClass", "computer"));
+       }
+       if (io.g.lm_hash) {
+               ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
+                                        "dBCSPwd", io.g.lm_hash);
                if (ret != LDB_SUCCESS) {
                        return ret;
                }
                if (ret != LDB_SUCCESS) {
                        return ret;
                }
-               
-               /* add also kr5 keys based on NT the hash */
-               ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context);
+       }
+       if (io.g.nt_history_len > 0) {
+               ret = samdb_msg_add_hashes(ac, msg,
+                                          "ntPwdHistory",
+                                          io.g.nt_history,
+                                          io.g.nt_history_len);
                if (ret != LDB_SUCCESS) {
                        return ret;
                }
                if (ret != LDB_SUCCESS) {
                        return ret;
                }
-               
-               /* if both the domain properties and the user account controls do not permit
-                * clear text passwords then wipe out the sambaPassword */
-               if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
-                   (!(ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
-                       ldb_msg_remove_attr(msg, "sambaPassword");
-               }
        }
        }
-
-       /* don't touch it if a value is set. It could be an incoming samsync */
-       if (ldb_msg_find_attr_as_uint64(msg, "pwdLastSet", 0) == 0) {
-               if (set_pwdLastSet(ac->module, msg, 0) != LDB_SUCCESS) {
-                       return LDB_ERR_OPERATIONS_ERROR;
+       if (io.g.lm_history_len > 0) {
+               ret = samdb_msg_add_hashes(ac, msg,
+                                          "lmPwdHistory",
+                                          io.g.lm_history,
+                                          io.g.lm_history_len);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
                }
        }
                }
        }
-
-       /* don't touch it if a value is set. It could be an incoming samsync */
-       if (!ldb_msg_find_element(msg, "msDS-KeyVersionNumber")) {
-               if (add_keyVersionNumber(ac->module, msg, 0) != LDB_SUCCESS) {
-                       return LDB_ERR_OPERATIONS_ERROR;
+       if (io.g.supplemental.length > 0) {
+               ret = ldb_msg_add_value(msg, "supplementalCredentials",
+                                       &io.g.supplemental, NULL);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
                }
        }
                }
        }
+       ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
+                                  "pwdLastSet",
+                                  io.g.last_set);
+       if (ret != LDB_SUCCESS) {
+               return ret;
+       }
+       ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
+                                "msDs-KeyVersionNumber",
+                                io.g.kvno);
+       if (ret != LDB_SUCCESS) {
+               return ret;
+       }
 
        h->state = LDB_ASYNC_INIT;
        h->status = LDB_SUCCESS;
 
        h->state = LDB_ASYNC_INIT;
        h->status = LDB_SUCCESS;
@@ -764,21 +1537,32 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
        }
        
        /* If the caller is manipulating the local passwords directly, let them pass */
        }
        
        /* If the caller is manipulating the local passwords directly, let them pass */
-       if (ldb_dn_compare_base(module->ldb, 
-                               ldb_dn_explode(req, LOCAL_BASE),
+       if (ldb_dn_compare_base(ldb_dn_new(req, module->ldb, LOCAL_BASE),
                                req->op.mod.message->dn) == 0) {
                return ldb_next_request(module, req);
        }
 
        /* nobody must touch password Histories */
                                req->op.mod.message->dn) == 0) {
                return ldb_next_request(module, req);
        }
 
        /* nobody must touch password Histories */
-       if (ldb_msg_find_element(req->op.mod.message, "sambaNTPwdHistory") ||
-           ldb_msg_find_element(req->op.mod.message, "sambaLMPwdHistory")) {
+       if (ldb_msg_find_element(req->op.add.message, "ntPwdHistory")) {
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+       if (ldb_msg_find_element(req->op.add.message, "lmPwdHistory")) {
+               return LDB_ERR_UNWILLING_TO_PERFORM;
+       }
+       if (ldb_msg_find_element(req->op.add.message, "supplementalCredentials")) {
                return LDB_ERR_UNWILLING_TO_PERFORM;
        }
 
        sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
                return LDB_ERR_UNWILLING_TO_PERFORM;
        }
 
        sambaAttr = ldb_msg_find_element(req->op.mod.message, "sambaPassword");
-       ntAttr = ldb_msg_find_element(req->op.mod.message, "ntPwdHash");
-       lmAttr = ldb_msg_find_element(req->op.mod.message, "lmPwdHash");
+       ntAttr = ldb_msg_find_element(req->op.mod.message, "unicodePwd");
+       lmAttr = ldb_msg_find_element(req->op.mod.message, "dBCSPwd");
+
+       /* If no part of this touches the sambaPassword OR unicodePwd and/or dBCSPwd, then we don't
+        * need to make any changes.  For password changes/set there should
+        * be a 'delete' or a 'modify' on this attribute. */
+       if ((!sambaAttr) && (!ntAttr) && (!lmAttr)) {
+               return ldb_next_request(module, req);
+       }
 
        /* check passwords are single valued here */
        /* TODO: remove this when passwords will be single valued in schema */
 
        /* check passwords are single valued here */
        /* TODO: remove this when passwords will be single valued in schema */
@@ -792,17 +1576,6 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
                return LDB_ERR_CONSTRAINT_VIOLATION;
        }
 
                return LDB_ERR_CONSTRAINT_VIOLATION;
        }
 
-       /* If no part of this touches the sambaPassword OR ntPwdHash and/or lmPwdHash, then we don't
-        * need to make any changes.  For password changes/set there should
-        * be a 'delete' or a 'modify' on this attribute. */
-       /* If the only operation is the deletion of the passwords then go on */
-       if (       ((!sambaAttr) || ((sambaAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
-               && ((!ntAttr) || ((ntAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))
-               && ((!lmAttr) || ((lmAttr->flags & LDB_FLAG_MOD_MASK) == LDB_FLAG_MOD_DELETE))  ) {
-
-               return ldb_next_request(module, req);
-       }
-
        h = ph_init_handle(req, module, PH_MOD);
        if (!h) {
                return LDB_ERR_OPERATIONS_ERROR;
        h = ph_init_handle(req, module, PH_MOD);
        if (!h) {
                return LDB_ERR_OPERATIONS_ERROR;
@@ -827,8 +1600,8 @@ static int password_hash_modify(struct ldb_module *module, struct ldb_request *r
        /* - remove any imodification to the password from the first commit
         *   we will make the real modification later */
        if (sambaAttr) ldb_msg_remove_attr(msg, "sambaPassword");
        /* - remove any imodification to the password from the first commit
         *   we will make the real modification later */
        if (sambaAttr) ldb_msg_remove_attr(msg, "sambaPassword");
-       if (ntAttr) ldb_msg_remove_attr(msg, "ntPwdHash");
-       if (lmAttr) ldb_msg_remove_attr(msg, "lmPwdHash");
+       if (ntAttr) ldb_msg_remove_attr(msg, "unicodePwd");
+       if (lmAttr) ldb_msg_remove_attr(msg, "dBCSPwd");
 
        /* if there was nothing else to be modify skip to next step */
        if (msg->num_elements == 0) {
 
        /* if there was nothing else to be modify skip to next step */
        if (msg->num_elements == 0) {
@@ -851,11 +1624,6 @@ static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_
 {
        struct ph_context *ac;
 
 {
        struct ph_context *ac;
 
-       if (!context || !ares) {
-               ldb_set_errstring(ldb, "NULL Context or Result in callback");
-               return LDB_ERR_OPERATIONS_ERROR;
-       }
-
        ac = talloc_get_type(context, struct ph_context);
 
        /* we are interested only in the single reply (base search) we receive here */
        ac = talloc_get_type(context, struct ph_context);
 
        /* we are interested only in the single reply (base search) we receive here */
@@ -885,12 +1653,13 @@ static int get_self_callback(struct ldb_context *ldb, void *context, struct ldb_
 static int password_hash_mod_search_self(struct ldb_handle *h) {
 
        struct ph_context *ac;
 static int password_hash_mod_search_self(struct ldb_handle *h) {
 
        struct ph_context *ac;
-       static const char * const attrs[] = { "userAccountControl", "sambaLMPwdHistory", 
-                                             "sambaNTPwdHistory", 
+       static const char * const attrs[] = { "userAccountControl", "lmPwdHistory", 
+                                             "ntPwdHistory", 
                                              "objectSid", "msDS-KeyVersionNumber", 
                                              "objectClass", "userPrincipalName",
                                              "objectSid", "msDS-KeyVersionNumber", 
                                              "objectClass", "userPrincipalName",
-                                             "samAccountName", 
-                                             "lmPwdHash", "ntPwdHash",
+                                             "sAMAccountName", 
+                                             "dBCSPwd", "unicodePwd",
+                                             "supplementalCredentials",
                                              NULL };
 
        ac = talloc_get_type(h->private_data, struct ph_context);
                                              NULL };
 
        ac = talloc_get_type(h->private_data, struct ph_context);
@@ -905,7 +1674,7 @@ static int password_hash_mod_search_self(struct ldb_handle *h) {
        ac->search_req->operation = LDB_SEARCH;
        ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
        ac->search_req->op.search.scope = LDB_SCOPE_BASE;
        ac->search_req->operation = LDB_SEARCH;
        ac->search_req->op.search.base = ac->orig_req->op.mod.message->dn;
        ac->search_req->op.search.scope = LDB_SCOPE_BASE;
-       ac->search_req->op.search.tree = ldb_parse_tree(ac->module->ldb, NULL);
+       ac->search_req->op.search.tree = ldb_parse_tree(ac->search_req, NULL);
        if (ac->search_req->op.search.tree == NULL) {
                ldb_set_errstring(ac->module->ldb, "Invalid search filter");
                return LDB_ERR_OPERATIONS_ERROR;
        if (ac->search_req->op.search.tree == NULL) {
                ldb_set_errstring(ac->module->ldb, "Invalid search filter");
                return LDB_ERR_OPERATIONS_ERROR;
@@ -951,11 +1720,11 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) {
        struct ph_context *ac;
        struct domain_data *domain;
        struct smb_krb5_context *smb_krb5_context;
        struct ph_context *ac;
        struct domain_data *domain;
        struct smb_krb5_context *smb_krb5_context;
-       struct ldb_message_element *sambaAttr;
        struct ldb_message *msg;
        struct ldb_message *msg;
-       int phlen;
+       struct ldb_message *orig_msg;
+       struct ldb_message *searched_msg;
+       struct setup_password_fields_io io;
        int ret;
        int ret;
-       BOOL added_hashes = False;
 
        ac = talloc_get_type(h->private_data, struct ph_context);
 
 
        ac = talloc_get_type(h->private_data, struct ph_context);
 
@@ -981,96 +1750,99 @@ static int password_hash_mod_do_mod(struct ldb_handle *h) {
        msg->dn = ac->orig_req->op.mod.message->dn;
 
        /* Some operations below require kerberos contexts */
        msg->dn = ac->orig_req->op.mod.message->dn;
 
        /* Some operations below require kerberos contexts */
-       if (smb_krb5_init_context(ac->mod_req, &smb_krb5_context) != 0) {
+       if (smb_krb5_init_context(ac->mod_req, 
+                                 ldb_get_opaque(h->module->ldb, "EventContext"), 
+                                 &smb_krb5_context) != 0) {
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
                return LDB_ERR_OPERATIONS_ERROR;
        }
 
-       /* we are going to replace the existing krb5key or delete it */
-       if (ldb_msg_add_empty(msg, "krb5key", LDB_FLAG_MOD_REPLACE) != 0) {
-               return LDB_ERR_OPERATIONS_ERROR;
-       }
+       orig_msg        = discard_const(ac->orig_req->op.mod.message);
+       searched_msg    = ac->search_res->message;
 
 
-       /* if we have sambaPassword in the original message add the operation on it here */
-       sambaAttr = ldb_msg_find_element(ac->orig_req->op.mod.message, "sambaPassword");
-       if (sambaAttr) {
+       ZERO_STRUCT(io);
+       io.ac                           = ac;
+       io.domain                       = domain;
+       io.smb_krb5_context             = smb_krb5_context;
 
 
-               if (ldb_msg_add(msg, sambaAttr, sambaAttr->flags) != 0) {
-                       return LDB_ERR_OPERATIONS_ERROR;
-               }
+       io.u.user_account_control       = samdb_result_uint(searched_msg, "userAccountControl", 0);
+       io.u.sAMAccountName             = samdb_result_string(searched_msg, "samAccountName", NULL);
+       io.u.user_principal_name        = samdb_result_string(searched_msg, "userPrincipalName", NULL);
+       io.u.is_computer                = ldb_msg_check_string_attribute(searched_msg, "objectClass", "computer");
 
 
-               /* if we are actually settting a new unicode password,
-                * use it to generate the password hashes */
-               if (((sambaAttr->flags & LDB_FLAG_MOD_MASK) != LDB_FLAG_MOD_DELETE)
-                   && (sambaAttr->num_values == 1)) {
-                       /* we can compute new password hashes from the unicode password */
-                       ret = add_password_hashes(ac->module, msg, 1);
-                       if (ret != LDB_SUCCESS) {
-                               return ret;
-                       }
-
-                       added_hashes = True;
-
-                       /* now add krb5 keys based on unicode password */
-                       ret = add_krb5_keys_from_password(ac->module, msg, smb_krb5_context, domain,
-                                                         ldb_msg_find_attr_as_string(ac->search_res->message, "samAccountName", NULL),
-                                                         ldb_msg_find_attr_as_string(ac->search_res->message, "userPrincipalName", NULL),
-                                                         ldb_msg_check_string_attribute(ac->search_res->message, "objectClass", "computer"));
-
-                       if (ret != LDB_SUCCESS) {
-                               return ret;
-                       }
-
-                       /* if the domain properties or the user account controls do not permit
-                        * clear text passwords then wipe out the sambaPassword */
-                       if ((!(domain->pwdProperties & DOMAIN_PASSWORD_STORE_CLEARTEXT)) ||
-                           (!(ldb_msg_find_attr_as_uint(ac->search_res->message, "userAccountControl", 0) & UF_ENCRYPTED_TEXT_PASSWORD_ALLOWED))) {
-                               ldb_msg_remove_attr(msg, "sambaPassword");
-                       }
+       io.n.cleartext                  = samdb_result_string(orig_msg, "sambaPassword", NULL);
+       io.n.nt_hash                    = samdb_result_hash(io.ac, orig_msg, "unicodePwd");
+       io.n.lm_hash                    = samdb_result_hash(io.ac, orig_msg, "dBCSPwd");
 
 
-               }
+       io.o.kvno                       = samdb_result_uint(searched_msg, "msDs-KeyVersionNumber", 0);
+       io.o.nt_history_len             = samdb_result_hashes(io.ac, searched_msg, "ntPwdHistory", &io.o.nt_history);
+       io.o.lm_history_len             = samdb_result_hashes(io.ac, searched_msg, "lmPwdHistory", &io.o.lm_history);
+       io.o.supplemental               = ldb_msg_find_ldb_val(searched_msg, "supplementalCredentials");
+
+       ret = setup_password_fields(&io);
+       if (ret != LDB_SUCCESS) {
+               return ret;
        }
 
        }
 
-       /* if we didn't create the hashes above, try using values supplied directly */
-       if (!added_hashes) {
-               struct ldb_message_element *el;
-               
-               el = ldb_msg_find_element(ac->orig_req->op.mod.message, "ntPwdHash");
-               if (ldb_msg_add(msg, el, el->flags) != 0) {
-                       return LDB_ERR_OPERATIONS_ERROR;
-               }
-               
-               el = ldb_msg_find_element(ac->orig_req->op.mod.message, "lmPwdHash");
-               if (ldb_msg_add(msg, el, el->flags) != 0) {
-                       return LDB_ERR_OPERATIONS_ERROR;
+       /* make sure we replace all the old attributes */
+       ret = ldb_msg_add_empty(msg, "unicodePwd", LDB_FLAG_MOD_REPLACE, NULL);
+       ret = ldb_msg_add_empty(msg, "dBCSPwd", LDB_FLAG_MOD_REPLACE, NULL);
+       ret = ldb_msg_add_empty(msg, "ntPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
+       ret = ldb_msg_add_empty(msg, "lmPwdHistory", LDB_FLAG_MOD_REPLACE, NULL);
+       ret = ldb_msg_add_empty(msg, "supplementalCredentials", LDB_FLAG_MOD_REPLACE, NULL);
+       ret = ldb_msg_add_empty(msg, "pwdLastSet", LDB_FLAG_MOD_REPLACE, NULL);
+       ret = ldb_msg_add_empty(msg, "msDs-KeyVersionNumber", LDB_FLAG_MOD_REPLACE, NULL);
+
+       if (io.g.nt_hash) {
+               ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
+                                        "unicodePwd", io.g.nt_hash);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
                }
        }
                }
        }
-
-       /* add also krb5 keys based on NT the hash */
-       if (add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context) != LDB_SUCCESS) {
-               return LDB_ERR_OPERATIONS_ERROR;
+       if (io.g.lm_hash) {
+               ret = samdb_msg_add_hash(ac->module->ldb, ac, msg,
+                                        "dBCSPwd", io.g.lm_hash);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
        }
        }
-
-       /* set change time */
-       if (set_pwdLastSet(ac->module, msg, 1) != LDB_SUCCESS) {
-               return LDB_ERR_OPERATIONS_ERROR;
+       if (io.g.nt_history_len > 0) {
+               ret = samdb_msg_add_hashes(ac, msg,
+                                          "ntPwdHistory",
+                                          io.g.nt_history,
+                                          io.g.nt_history_len);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
+               }
        }
        }
-
-       /* don't touch it if a value is set. It could be an incoming samsync */
-       if (!ldb_msg_find_element(ac->orig_req->op.mod.message, 
-                                "msDS-KeyVersionNumber")) {
-               if (add_keyVersionNumber(ac->module, msg,
-                                        ldb_msg_find_attr_as_uint(ac->search_res->message, 
-                                                          "msDS-KeyVersionNumber", 0)
-                           ) != LDB_SUCCESS) {
-                       return LDB_ERR_OPERATIONS_ERROR;
+       if (io.g.lm_history_len > 0) {
+               ret = samdb_msg_add_hashes(ac, msg,
+                                          "lmPwdHistory",
+                                          io.g.lm_history,
+                                          io.g.lm_history_len);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
                }
        }
                }
        }
-
-       if ((phlen = samdb_result_uint(ac->dom_res->message, "pwdHistoryLength", 0)) > 0) {
-               if (setPwdHistory(ac->module, msg, ac->search_res->message, phlen) != LDB_SUCCESS) {
-                       return LDB_ERR_OPERATIONS_ERROR;
+       if (io.g.supplemental.length > 0) {
+               ret = ldb_msg_add_value(msg, "supplementalCredentials",
+                                       &io.g.supplemental, NULL);
+               if (ret != LDB_SUCCESS) {
+                       return ret;
                }
        }
                }
        }
+       ret = samdb_msg_add_uint64(ac->module->ldb, ac, msg,
+                                  "pwdLastSet",
+                                  io.g.last_set);
+       if (ret != LDB_SUCCESS) {
+               return ret;
+       }
+       ret = samdb_msg_add_uint(ac->module->ldb, ac, msg,
+                                "msDs-KeyVersionNumber",
+                                io.g.kvno);
+       if (ret != LDB_SUCCESS) {
+               return ret;
+       }
 
        h->state = LDB_ASYNC_INIT;
        h->status = LDB_SUCCESS;
 
        h->state = LDB_ASYNC_INIT;
        h->status = LDB_SUCCESS;
@@ -1173,6 +1945,10 @@ static int ph_wait(struct ldb_handle *handle) {
                        return LDB_SUCCESS;
                }
 
                        return LDB_SUCCESS;
                }
 
+               if (ac->search_res == NULL) {
+                       return LDB_ERR_NO_SUCH_OBJECT;
+               }
+
                /* self search done, go on */
                return password_hash_mod_search_dom(handle);
                
                /* self search done, go on */
                return password_hash_mod_search_dom(handle);
                
Samba Shared Repository