From: Jo Sutton <josutton@catalyst.net.nz>
Date: Thu, 18 Jan 2024 23:38:24 +0000 (+1300)
Subject: s3:libads: Remove ‘unicodePwd’ attribute from ads_find_machine_acct() search
X-Git-Tag: tdb-1.4.11~1748
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=635f6baf7bccc64da5fa8591dee41c379f83601b;p=thirdparty%2Fsamba.git

s3:libads: Remove ‘unicodePwd’ attribute from ads_find_machine_acct() search

This attribute was added to the search in commit
4f389c1f78cdc2424795e3b2a1ce43818c400c2d. But it’s not clear to me that
anything actually retrieves the unicodePwd from the result (excluding
inconsequential things like ads_dump()).

Furthermore, this being a search over LDAP, it will never return a
unicodePwd.

Removing this attribute from the search means that we no longer have to
worry about the account possibly being a Group Managed Service Account
and the unicodePwd being out‐of‐date.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---

diff --git a/source3/libads/ldap.c b/source3/libads/ldap.c
index b5139e59cfb..7f3c20746c8 100644
--- a/source3/libads/ldap.c
+++ b/source3/libads/ldap.c
@@ -1687,7 +1687,6 @@ char *ads_parent_dn(const char *dn)
 		"DnsHostName",
 		"ServicePrincipalName",
 		"userPrincipalName",
-		"unicodePwd",
 
 		/* Additional attributes Samba checks */
 		"msDS-AdditionalDnsHostName",