]> git.ipfire.org Git - thirdparty/samba.git/commitdiff
projects / thirdparty / samba.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0da540f)
dsdb:password_hash: "policy hints" resets honour minPwdAge
authorDouglas Bagnall <douglas.bagnall@catalyst.net.nz>
Sun, 11 Jan 2026 10:15:53 +0000 (23:15 +1300)
committerDouglas Bagnall <dbagnall@samba.org>
Thu, 15 Jan 2026 01:48:37 +0000 (01:48 +0000)
As always, a reset returns UNWILLING_TO_PERFORM even though it is
pretending to be a change due to the control.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020

Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
selftest/knownfail.d/password-policy-hints patch | blob | blame | history
source4/dsdb/samdb/ldb_modules/password_hash.c patch | blob | blame | history

diff --git a/selftest/knownfail.d/password-policy-hints b/selftest/knownfail.d/password-policy-hints
index 55704df344f860fa9ae89f8ed34f3af9a756d9ff..495481e4fbfbf1db715a8d75465b46472763d69f 100644 (file)
--- a/selftest/knownfail.d/password-policy-hints
+++ b/selftest/knownfail.d/password-policy-hints
@@ -1,3 +1,2 @@
 ^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_history
 ^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_deprecated_history
-^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_deprecated_password_age
diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 4188746207357cb61570200ae95ad827449e421f..e256e8649786f4c3e1b956fd04b7a171818cdb86 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -2964,9 +2964,12 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR
 
        /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
        if ((io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) &&
-           !io->ac->pwd_reset)
-       {
-               ret = LDB_ERR_CONSTRAINT_VIOLATION;
+           (!io->ac->pwd_reset || io->ac->policy_hints_reset_is_change)) {
+               if (io->ac->pwd_reset) {
+                       ret = LDB_ERR_UNWILLING_TO_PERFORM;
+               } else {
+                       ret = LDB_ERR_CONSTRAINT_VIOLATION;
+               }
                *werror = WERR_PASSWORD_RESTRICTION;
                ldb_asprintf_errstring(ldb,
                        "%08X: %s - check_password_restrictions: "
Mirror of https://github.com/samba-team/samba.git