--- /usr/bin/ucs-school-ntlm-auth.ORIG	2017-05-12 10:36:39.224000000 +0200
+++ /usr/bin/ucs-school-ntlm-auth	2017-05-12 10:52:11.476000000 +0200
@@ -42,6 +42,9 @@
 userToGroup = {}  # { "user": ["group1", "group2", ], }
 groupInfo = {}  # { "group1": (23, True, ), }
 
+logfd = open('/tmp/FOO', 'a+')
+def debug(msg):
+	print >>logfd, '%s\n' % msg
 
 def loadInfo():
 	configRegistry = univention.config_registry.ConfigRegistry()
@@ -74,22 +77,36 @@
 
 def getNTPasswordHash(username, stationId):
 	'stationId may be None if it was not supplied to the program'
+	if username.startswith('host/'):
+		username = username.split('/', 1)[1]
+		if '.' in username:
+			username = username.split('.')[0]
+		if not '$' in username:
+			username += '$'
 	groups = userToGroup.get(username)
 	if groups is None:
+		debug('1 user = %r' % (username,))
+		# debug('1 keys = %r' % (userToGroup.keys(),))
+		debug('1 groups is None')
 		return None
 	groups = [groupInfo[group] for group in groups if group in groupInfo]
 	if not groups:
+		debug('1 not groups')
 		return None
 	(maxPriority, _, ) = max(groups)
 	if True not in [wlanEnabled for (priority, wlanEnabled, ) in groups if priority == maxPriority]:
+		debug('1 True not found')
 		return None
 	# user is authorized to use the W-LAN, retrieve NT-password-hash from LDAP and return it
 	result = ldapConnection.search(filter=str(univention.admin.filter.expression('uid', username)), attr=['sambaNTPassword', 'sambaAcctFlags'])
 	if not result:
+		debug('1 uid %r not found' % (username,))
 		return None
 	sambaAccountFlags = frozenset(result[0][1]['sambaAcctFlags'][0])
 	if sambaAccountFlags & DISALLOWED_SAMBA_ACCOUNT_FLAGS:
+		debug('1 wrong flags')
 		return None
+	debug('1 got hash')
 	return result[0][1]['sambaNTPassword'][0].decode('hex')