s3:passdb: don't clear the LM HASH without a password change

Updating things like the bad pwd count should not clear the
stored LM HASH with 'lanman auth = no'.

This allows testing with 'lanman auth = no' and 'lanman auth = yes'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

diff --git a/python/samba/tests/s3passdb.py b/python/samba/tests/s3passdb.py
index b584e07fc9801d25b90ff5c2311aa98120dc6efd..eac3be6163e384c280732fe9605ee10703c56539 100644 (file)
--- a/python/samba/tests/s3passdb.py
+++ b/python/samba/tests/s3passdb.py
@@ -90,7 +90,7 @@ class PassdbTestCase(TestCaseInTempDir):
         self.assertEqual([-1 for i in range(21)], user.hours)
         self.assertEqual(21, user.hours_len)
         self.assertEqual(9223372036854775807, user.kickoff_time)
-        self.assertEqual(None, user.lanman_passwd)
+        self.assertEqual(b'U)\x02\x03\x1b\xed\xe9\xef\xaa\xd3\xb45\xb5\x14\x04\xee', user.lanman_passwd)
         self.assertEqual(9223372036854775807, user.logoff_time)
         self.assertEqual(0, user.logon_count)
         self.assertEqual(168, user.logon_divs)

diff --git a/selftest/knownfail.d/samba3.blackbox.smb1_lanman_plaintext b/selftest/knownfail.d/samba3.blackbox.smb1_lanman_plaintext
index e45d92c32ed2ff950c3e3afa89b0eb2bf1d2a3e3..1b1696fb85093acc84bc7f74c33b2f3217216ad6 100644 (file)
--- a/selftest/knownfail.d/samba3.blackbox.smb1_lanman_plaintext
+++ b/selftest/knownfail.d/samba3.blackbox.smb1_lanman_plaintext
@@ -1,4 +1 @@
-^samba3.blackbox.smb1_lanman_plaintext.test_lm_ok.simpleserver
 ^samba3.blackbox.smb1_lanman_plaintext.test_plaintext_ok.simpleserver
-^samba3.blackbox.smb1_lanman_plaintext.test_lm_ok.nt4_member
-^samba3.blackbox.smb1_lanman_plaintext.test_plaintext_ok.nt4_member

diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 6789cc0824e0f910c581f9d5b5dbff457a8f8162..a6e45a59b133307936cf1d018aa5d71039e22d79 100644 (file)
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -857,7 +857,7 @@ bool pdb_set_lanman_passwd(struct samu *sampass, const uint8_t pwd[LM_HASH_LEN],
 
        /* on keep the password if we are allowing LANMAN authentication */
 
-       if (pwd && lp_lanman_auth() ) {
+       if (pwd && (flag != PDB_CHANGED || lp_lanman_auth())) {
                sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN);
        } else {
                sampass->lm_pw = data_blob_null;