From fdd62e9699b181a140292689fcd88a559bc26211 Mon Sep 17 00:00:00 2001
From: =?utf8?q?Matthias=20Dieter=20Walln=C3=B6fer?= <mwallnoefer@yahoo.de>
Date: Wed, 19 Aug 2009 12:37:11 +0200
Subject: [PATCH 1/1] s4: Let the "setpassword" script finally use the
 "samdb_set_password" routine

The "setpassword" script should use the "samdb_set_password" call to change
the NT user password. Windows Server tests show that "userPassword" is not the
right place to save the NT password and does not inherit the password complexity.
---
 source4/scripting/python/pyglue.c       | 65 ++++++++++++++++++++++++-
 source4/scripting/python/samba/samdb.py | 14 +++---
 2 files changed, 70 insertions(+), 9 deletions(-)

diff --git a/source4/scripting/python/pyglue.c b/source4/scripting/python/pyglue.c
index 42c04c1f384..3e6233b4c42 100644
--- a/source4/scripting/python/pyglue.c
+++ b/source4/scripting/python/pyglue.c
@@ -220,13 +220,69 @@ static PyObject *py_samdb_get_domain_sid(PyLdbObject *self, PyObject *args)
 	if (!sid) {
 		PyErr_SetString(PyExc_RuntimeError, "samdb_domain_sid failed");
 		return NULL;
-	} 
+	}
+
 	retstr = dom_sid_string(NULL, sid);
 	ret = PyString_FromString(retstr);
 	talloc_free(retstr);
+
 	return ret;
 }
 
+static PyObject *py_samdb_set_password(PyLdbObject *self, PyObject *args,
+	PyObject *kwargs)
+{
+	PyObject *py_sam, *py_user_dn, *py_dom_dn, *py_mod, *py_user_change;
+	char *new_password;
+	bool user_change;
+	DATA_BLOB new_pwd_blob;
+	struct ldb_context *sam_ctx;
+	struct ldb_dn *user_dn, *dom_dn;
+	struct ldb_message *mod;
+	TALLOC_CTX *mem_ctx;
+	NTSTATUS status;
+	const char * const kwnames[] = { "samdb", "user_dn", "dom_dn", "mod",
+		"new_password", "user_change", NULL };
+
+	if (!PyArg_ParseTupleAndKeywords(args, kwargs, "OOOOsO",
+		  discard_const_p(char *, kwnames),
+		  &py_sam, &py_user_dn, &py_dom_dn, &py_mod, &new_password,
+		  &py_user_change))
+		return NULL;
+
+	sam_ctx = PyLdb_AsLdbContext(py_sam);
+
+	mem_ctx = talloc_new(NULL);
+	if (mem_ctx == NULL) {
+		PyErr_NoMemory();
+	}
+
+	if (!PyObject_AsDn(mem_ctx, py_user_dn, sam_ctx, &user_dn)) {
+		PyErr_SetString(PyExc_RuntimeError, "user_dn invalid!");
+		return NULL;
+	}
+
+	if (!PyObject_AsDn(mem_ctx, py_dom_dn, sam_ctx, &dom_dn)) {
+		PyErr_SetString(PyExc_RuntimeError, "dom_dn invalid!");
+		return NULL;
+	}
+
+	mod = PyLdbMessage_AsMessage(py_mod);
+
+	user_change = PyInt_AsLong(py_user_change);
+
+	new_pwd_blob.data = (uint8_t *) new_password;
+	new_pwd_blob.length = strlen((char *) new_pwd_blob.data);
+
+	status = samdb_set_password(sam_ctx, mem_ctx, user_dn, dom_dn, mod,
+		&new_pwd_blob, NULL, NULL, user_change, NULL, NULL);
+
+	talloc_free(mem_ctx);
+
+	PyErr_NTSTATUS_IS_ERR_RAISE(status);
+	Py_RETURN_NONE;
+}
+
 static PyObject *py_ldb_register_samba_handlers(PyObject *self, PyObject *args)
 {
 	PyObject *py_ldb;
@@ -440,7 +496,8 @@ static PyObject *py_dom_sid_to_rid(PyLdbObject *self, PyObject *args)
 
 	sid = dom_sid_parse_talloc(NULL, PyString_AsString(py_sid));
 
-	status = dom_sid_split_rid(NULL, sid, NULL, &rid);
+	status = dom_sid_split_rid(NULL, (const struct dom_sid *)sid, NULL,
+		&rid);
 	if (!NT_STATUS_IS_OK(status)) {
 		PyErr_SetString(PyExc_RuntimeError, "dom_sid_split_rid failed");
 		return NULL;
@@ -470,6 +527,10 @@ static PyMethodDef py_misc_methods[] = {
 	{ "samdb_get_domain_sid", (PyCFunction)py_samdb_get_domain_sid, METH_VARARGS,
 		"samdb_get_domain_sid(samdb)\n"
 		"Get SID of domain in use." },
+	{ "samdb_set_password", (PyCFunction)py_samdb_set_password,
+		METH_VARARGS|METH_KEYWORDS,
+		"samdb_set_password(samdb, user_dn, dom_dn, mod, new_password, user_change)\n"
+		"Set the password of a user" },
 	{ "ldb_register_samba_handlers", (PyCFunction)py_ldb_register_samba_handlers, METH_VARARGS,
 		"ldb_register_samba_handlers(ldb)\n"
 		"Register Samba-specific LDB modules and schemas." },
diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py
index a58d6c5b124..b78c8f37d93 100644
--- a/source4/scripting/python/samba/samdb.py
+++ b/source4/scripting/python/samba/samdb.py
@@ -161,14 +161,14 @@ pwdLastSet: 0
             assert(len(res) == 1)
             user_dn = res[0].dn
 
-            setpw = """
-dn: %s
-changetype: modify
-replace: userPassword
-userPassword:: %s
-""" % (user_dn, base64.b64encode(password))
+            mod = ldb.Message()
+            mod.dn = user_dn
+
+            glue.samdb_set_password(samdb=self, user_dn=str(user_dn),
+                        dom_dn=self.domain_dn(), mod=mod, new_password=password,
+                        user_change=True)
 
-            self.modify_ldif(setpw)
+            self.modify(mod)
 
             if force_password_change_at_next_login:
                 self.force_password_change_at_next_login(user_dn)
-- 
2.34.1