dsdb:password_hash: fix policy_hint controlled reset return codes

author Douglas Bagnall <douglas.bagnall@catalyst.net.nz>

Sun, 11 Jan 2026 10:19:35 +0000 (23:19 +1300)

committer Douglas Bagnall <dbagnall@samba.org>

Thu, 15 Jan 2026 01:48:37 +0000 (01:48 +0000)
author Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Sun, 11 Jan 2026 10:19:35 +0000 (23:19 +1300)
committer Douglas Bagnall <dbagnall@samba.org>
Thu, 15 Jan 2026 01:48:37 +0000 (01:48 +0000)
diff --git a/selftest/knownfail.d/password-policy-hints b/selftest/knownfail.d/password-policy-hints

index 495481e4fbfbf1db715a8d75465b46472763d69f..e69de29bb2d1d6434b8b29ae775ad8c2e48c5391 100644 (file)
--- a/selftest/knownfail.d/password-policy-hints
+++ b/selftest/knownfail.d/password-policy-hints
@@ -1,2 +0,0 @@
-^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_history
-^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_deprecated_history
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c

index 8c25c859b4894c7cc19bb4b91712823afde8cc95..9837f685412f156f2bbcaf5d307d3df7e0169f22 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -3064,7 +3064,11 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR
                 bool equal = data_blob_equal_const_time(&io->g.aes_256,
                                                         &io->o.aes_256);
                 if (equal) {
-                       ret = LDB_ERR_CONSTRAINT_VIOLATION;
+                       if (io->ac->pwd_reset) {
+                               ret = LDB_ERR_UNWILLING_TO_PERFORM;
+                       } else {
+                               ret = LDB_ERR_CONSTRAINT_VIOLATION;
+                       }
                         *werror = WERR_PASSWORD_RESTRICTION;
                         ldb_asprintf_errstring(ldb,
                                                "%08X: %s - check_password_restrictions: "
@@ -3084,7 +3088,11 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR
                 for (i = 0; i < io->o.nt_history_len; i++) {
                         bool pw_cmp = mem_equal_const_time(io->n.nt_hash, io->o.nt_history[i].hash, 16);
                         if (pw_cmp) {
-                               ret = LDB_ERR_CONSTRAINT_VIOLATION;
+                               if (io->ac->pwd_reset) {
+                                       ret = LDB_ERR_UNWILLING_TO_PERFORM;
+                               } else {
+                                       ret = LDB_ERR_CONSTRAINT_VIOLATION;
+                               }
                                 *werror = WERR_PASSWORD_RESTRICTION;
                                 ldb_asprintf_errstring(ldb,
                                         "%08X: %s - check_password_restrictions: "
author	Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
	Sun, 11 Jan 2026 10:19:35 +0000 (23:19 +1300)
committer	Douglas Bagnall <dbagnall@samba.org>
	Thu, 15 Jan 2026 01:48:37 +0000 (01:48 +0000)
selftest/knownfail.d/password-policy-hints		patch \| blob \| blame \| history
source4/dsdb/samdb/ldb_modules/password_hash.c		patch \| blob \| blame \| history