r8983: The KVNO (Kerberos key version number) should be incremented with

every password set.

Andrew Bartlett
(This used to be commit 71958cb19f8a2289e97f29018bb252a7d4540258)

diff --git a/source4/rpc_server/samr/samr_password.c b/source4/rpc_server/samr/samr_password.c
index d251c02eca8bf683d79671027e9c1931bffb0ea4..48abc7cfde207ea0d9f1c7b62bc9515923e824ea 100644 (file)
--- a/source4/rpc_server/samr/samr_password.c
+++ b/source4/rpc_server/samr/samr_password.c
@@ -510,6 +510,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
        struct samr_Password *new_lmPwdHistory, *new_ntPwdHistory;
        struct samr_Password local_lmNewHash, local_ntNewHash;
        int lmPwdHistory_len, ntPwdHistory_len;
+       uint_t kvno;
        struct ldb_message **res;
        int count;
        time_t now = time(NULL);
@@ -534,6 +535,7 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
        lmPwdHash =          samdb_result_hash(res[0],   "lmPwdHash");
        ntPwdHash =          samdb_result_hash(res[0],   "ntPwdHash");
        pwdLastSet =         samdb_result_uint64(res[0], "pwdLastSet", 0);
+       kvno =               samdb_result_uint(res[0],   "msDS-KeyVersionNumber", 0);
 
        /* pull the domain parameters */
        count = gendb_search_dn(ctx, mem_ctx, domain_dn, &res, domain_attrs);
@@ -679,6 +681,8 @@ NTSTATUS samdb_set_password(void *ctx, TALLOC_CTX *mem_ctx,
        }
 
        CHECK_RET(samdb_msg_add_uint64(ctx, mem_ctx, mod, "pwdLastSet", now_nt));
+
+       CHECK_RET(samdb_msg_add_uint(ctx, mem_ctx, mod, "msDS-KeyVersionNumber", kvno + 1));
        
        if (pwdHistoryLength == 0) {
                CHECK_RET(samdb_msg_add_delete(ctx, mem_ctx, mod, "lmPwdHistory"));