From: Douglas Bagnall Date: Sun, 11 Jan 2026 10:19:35 +0000 (+1300) Subject: dsdb:password_hash: fix policy_hint controlled reset return codes X-Git-Tag: tdb-1.4.15~93 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04039fdd835690f636906fb58743ff6f91451de8;p=thirdparty%2Fsamba.git dsdb:password_hash: fix policy_hint controlled reset return codes Resets are unwilling, not constrained. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall Reviewed-by: Gary Lockyer --- diff --git a/selftest/knownfail.d/password-policy-hints b/selftest/knownfail.d/password-policy-hints index 495481e4fbf..e69de29bb2d 100644 --- a/selftest/knownfail.d/password-policy-hints +++ b/selftest/knownfail.d/password-policy-hints @@ -1,2 +0,0 @@ -^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_history -^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_deprecated_history diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 8c25c859b48..9837f685412 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -3064,7 +3064,11 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR bool equal = data_blob_equal_const_time(&io->g.aes_256, &io->o.aes_256); if (equal) { - ret = LDB_ERR_CONSTRAINT_VIOLATION; + if (io->ac->pwd_reset) { + ret = LDB_ERR_UNWILLING_TO_PERFORM; + } else { + ret = LDB_ERR_CONSTRAINT_VIOLATION; + } *werror = WERR_PASSWORD_RESTRICTION; ldb_asprintf_errstring(ldb, "%08X: %s - check_password_restrictions: " @@ -3084,7 +3088,11 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR for (i = 0; i < io->o.nt_history_len; i++) { bool pw_cmp = mem_equal_const_time(io->n.nt_hash, io->o.nt_history[i].hash, 16); if (pw_cmp) { - ret = LDB_ERR_CONSTRAINT_VIOLATION; + if (io->ac->pwd_reset) { + ret = LDB_ERR_UNWILLING_TO_PERFORM; + } else { + ret = LDB_ERR_CONSTRAINT_VIOLATION; + } *werror = WERR_PASSWORD_RESTRICTION; ldb_asprintf_errstring(ldb, "%08X: %s - check_password_restrictions: "