r16240: Add better error reporting in the password_hash module

Remove duplicate attribute in search request

Search for the domain by NDR-encoded SID, not string (consistant with
the rest of the C code, and helps partially-constructed LDAP
backends).

Use the default basedn for the domain search.

Andrew Bartlett
(This used to be commit 2f104612cd6f170dd28fd4ce09156168d47a681a)

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 8a400fbc63b22467428e6a0e91600a16196519c5..2466aac4238a87795f6ab949b9747567d17647f7 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -489,10 +489,11 @@ static int build_domain_data_request(struct ph_async_context *ac,
                return LDB_ERR_OPERATIONS_ERROR;
        }
        ac->dom_req->operation = LDB_SEARCH;
-       ac->dom_req->op.search.base = NULL;
+       ac->dom_req->op.search.base = samdb_base_dn(ac);
        ac->dom_req->op.search.scope = LDB_SCOPE_SUBTREE;
 
-       filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(objectClass=domain))", dom_sid_string(ac->dom_req, sid));
+       filter = talloc_asprintf(ac->dom_req, "(&(objectSid=%s)(objectClass=domain))", 
+                                ldap_encode_ndr_dom_sid(ac->dom_req, sid));
        if (filter == NULL) {
                ldb_debug(ac->module->ldb, LDB_DEBUG_ERROR, "Out of Memory!\n");
                talloc_free(ac->dom_req);
@@ -525,6 +526,12 @@ static struct domain_data *get_domain_data(struct ldb_module *module, void *mem_
                return NULL;
        }
 
+       if (res == NULL) {
+               ldb_debug(module->ldb, LDB_DEBUG_ERROR, "Could not find this user's domain!\n");
+               talloc_free(data);
+               return NULL;
+       }
+
        data->pwdProperties = samdb_result_uint(res->message, "pwdProperties", 0);
        data->pwdHistoryLength = samdb_result_uint(res->message, "pwdHistoryLength", 0);
        tmp = ldb_msg_find_string(res->message, "dnsDomain", NULL);
@@ -575,14 +582,16 @@ static int password_hash_add(struct ldb_module *module, struct ldb_request *req)
        /* if it is not an entry of type person its an error */
        /* TODO: remove this when sambaPassword will be in schema */
        if (!ldb_msg_check_string_attribute(req->op.add.message, "objectClass", "person")) {
+               ldb_set_errstring(module->ldb, talloc_asprintf(module, "Cannot set a password on entry that does not have objectClass 'person'"));
                return LDB_ERR_OBJECT_CLASS_VIOLATION;
        }
 
        /* check sambaPassword is single valued here */
        /* TODO: remove this when sambaPassword will be single valued in schema */
        if (attribute->num_values > 1) {
-               ldb_set_errstring(module->ldb, talloc_asprintf(req,
-                                       "mupltiple values for sambaPassword not allowed!\n"));
+               ldb_set_errstring(module->ldb, 
+                                 talloc_asprintf(req,
+                                                 "mupltiple values for sambaPassword not allowed!\n"));
                return LDB_ERR_CONSTRAINT_VIOLATION;
        }
 
@@ -825,7 +834,6 @@ static int password_hash_mod_search_self(struct ldb_async_handle *h) {
        struct ph_async_context *ac;
        static const char * const attrs[] = { "userAccountControl", "sambaLMPwdHistory", 
                                              "sambaNTPwdHistory", 
-                                             "ntPwdHash", 
                                              "objectSid", "msDS-KeyVersionNumber", 
                                              "objectClass", "userPrincipalName",
                                              "samAccountName",