s4:dsdb/password_hash: require a "Primary:Kerberos" blob in supplementalCredentials

[ira/wip.git] / source4 / dsdb / samdb / ldb_modules / password_hash.c

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index bf94ba3dc328744f68443b5e0fac643cfa7c6f39..553cd686a4bb707eccac419bea9232cfc3f2541e 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -301,6 +301,22 @@ static int password_hash_bypass(struct ldb_module *module, struct ldb_request *r
                        data_blob_free(&subblob);
                }
 
+               if (scpp == NULL) {
+                       return ldb_error(ldb,
+                                        LDB_ERR_CONSTRAINT_VIOLATION,
+                                        "Primary:Packages missing");
+               }
+
+               if (scpk == NULL) {
+                       /*
+                        * If Primary:Kerberos is missing w2k8r2 reboots
+                        * when a password is changed.
+                        */
+                       return ldb_error(ldb,
+                                        LDB_ERR_CONSTRAINT_VIOLATION,
+                                        "Primary:Kerberos missing");
+               }
+
                if (scpp) {
                        struct package_PackagesBlob *p;
                        uint32_t n;