object = s4connector._object_mapping(key, ucs_object, 'ucs')

	object = s4connector._object_mapping(key, ucs_object, 'ucs')

	s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet'])

	s4_object_attributes = s4connector.lo_s4.get(compatible_modstring(object['dn']), ['objectSid', 'pwdLastSet'])

	pwdLastSet = None

	pwdLastSet = None

	if 'pwdLastSet' in s4_object_attributes:

	if 'pwdLastSet' in s4_object_attributes:

		pwdLastSet = long(s4_object_attributes['pwdLastSet'][0])

		pwdLastSet = long(s4_object_attributes['pwdLastSet'][0])

	# if s4_object_attributes.has_key('objectSid'):

	# if s4_object_attributes.has_key('objectSid'):

	# 	rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1])

	# 	rid = str(univention.s4connector.s4.decode_sid(s4_object_attributes['objectSid'][0]).split('-')[-1])

	filter_expr = format_escaped('(objectSid={0!e})', objectSid)

	filter_expr = format_escaped('(objectSid={0!e})', objectSid)

	res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd'])

	res = s4connector.lo_s4.search(filter=filter_expr, attr=['unicodePwd', 'supplementalCredentials', 'msDS-KeyVersionNumber', 'dBCSPwd'])

	s4_search_attributes = res[0][1]

	s4_search_attributes = res[0][1]

	unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0]

	unicodePwd_attr = s4_search_attributes.get('unicodePwd', [None])[0]

	if unicodePwd_attr:

	if unicodePwd_attr:

		ntPwd = binascii.b2a_hex(unicodePwd_attr).upper()

		ntPwd = binascii.b2a_hex(unicodePwd_attr).upper()

		if dBCSPwd:

		if dBCSPwd:

			lmPwd = binascii.b2a_hex(dBCSPwd).upper()

			lmPwd = binascii.b2a_hex(dBCSPwd).upper()

		ntPwd_ucs = ''

		ntPwd_ucs = ''

		lmPwd_ucs = ''

		lmPwd_ucs = ''

		userPassword = ''

		userPassword = ''

		services = ucs_object_attributes.get('univentionService', [])

		services = ucs_object_attributes.get('univentionService', [])

		if 'S4 SlavePDC' in services:

		if 'S4 SlavePDC' in services:

			ntPwd_ucs = ucs_object_attributes['sambaNTPassword'][0]

			ntPwd_ucs = ucs_object_attributes['sambaNTPassword'][0]

		if 'sambaLMPassword' in ucs_object_attributes:

		if 'sambaLMPassword' in ucs_object_attributes:

			lmPwd_ucs = ucs_object_attributes['sambaLMPassword'][0]

			lmPwd_ucs = ucs_object_attributes['sambaLMPassword'][0]

		if 'userPassword' in ucs_object_attributes:

		if 'userPassword' in ucs_object_attributes:

			userPassword = ucs_object_attributes['userPassword'][0]

			userPassword = ucs_object_attributes['userPassword'][0]

		sambaPwdLastSet = None

		sambaPwdLastSet = None

		if 'sambaPwdMustChange' in ucs_object_attributes:

		if 'sambaPwdMustChange' in ucs_object_attributes:

			sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0]

			sambaPwdMustChange = ucs_object_attributes['sambaPwdMustChange'][0]

		ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange)

		ud.debug(ud.LDAP, ud.INFO, "password_sync_s4_to_ucs: sambaPwdMustChange: %s" % sambaPwdMustChange)

		userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0]

		userPassword_ucs = ucs_object_attributes.get('userPassword', [None])[0]

		pwd_changed = False

		pwd_changed = False

		if ntPwd != ntPwd_ucs:

		if ntPwd != ntPwd_ucs:

			if krb5Principal:

			if krb5Principal:

				# decoding of Samba4 supplementalCredentials

				# decoding of Samba4 supplementalCredentials

				krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber))

				krb5Key_new = calculate_krb5key(unicodePwd_attr, supplementalCredentials, int(msDS_KeyVersionNumber))

				modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new))

				modlist.append(('krb5Key', krb5Key_ucs, krb5Key_new))

			# Append modification as well to modlist, to apply in one transaction

			# Append modification as well to modlist, to apply in one transaction

			if modifyUserPassword:

			if modifyUserPassword: