From 091e8fac3473e794e339b4a1a1ae819de8736af9 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Oct 08 2013 07:18:57 +0000
Subject: Use the right attribute with ipapwd_entry_checks for MagicRegen


There is a special mode to set the ipaNTHash attribute if a RC4 Kerberos
key is available for the corresponding user. This is typically triggered
by samba via the ipa_sam passdb plugin. The principal used by samba to
connect to the IPA directory server has the right to modify ipaNTHash
but no other password attribute. This means that the current check on
the userPassword attribute is too strict for this case and leads to a
failure of the whole operation.

With this patch the access right on ipaNTHash are checked if no other
password operations are requested.

---

diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
index 8a22265..64a9d31 100644
--- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
+++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/prepost.c
@@ -554,7 +554,8 @@ static int ipapwd_pre_mod(Slapi_PBlock *pb)
 
     rc = ipapwd_entry_checks(pb, e,
                              &is_root, &is_krb, &is_smb, &is_ipant,
-                             SLAPI_USERPWD_ATTR, SLAPI_ACL_WRITE);
+                             is_pwd_op ? SLAPI_USERPWD_ATTR : "ipaNTHash",
+                             SLAPI_ACL_WRITE);
     if (rc) {
         goto done;
     }