r19321: Merge from release branch:

Always set the krb5key from the ntPwdHash, even if we don't have the
cleartext password in sambaPassword.  This fixes kerberos after a
vampire.

Andrew Bartlett
(This used to be commit 1d4d2271c9b944db3a9a2eba971aec5bcd9cf100)

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 6f24c7fa4c9de409cb97b97386c34e51f0fcd640..a4862f3820cd2be9a99187ab402a810d08a4d71c 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -724,12 +724,6 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
                        return ret;
                }
                
-               /* add also kr5 keys based on NT the hash */
-               ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context);
-               if (ret != LDB_SUCCESS) {
-                       return ret;
-               }
-               
                /* if both the domain properties and the user account controls do not permit
                 * clear text passwords then wipe out the sambaPassword */
                user_account_control = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
@@ -740,6 +734,12 @@ static int password_hash_add_do_add(struct ldb_handle *h) {
                }
        }
 
+       /* add also krb5 keys based on NT the hash (we might have ntPwdHash, but not the cleartext */
+       ret = add_krb5_keys_from_NThash(ac->module, msg, smb_krb5_context);
+       if (ret != LDB_SUCCESS) {
+               return ret;
+       }
+               
        /* don't touch it if a value is set. It could be an incoming samsync */
        if (ldb_msg_find_attr_as_uint64(msg, "pwdLastSet", 0) == 0) {
                if (set_pwdLastSet(ac->module, msg, 0) != LDB_SUCCESS) {