From: Stefan Metzmacher Date: Fri, 12 Jul 2024 17:38:40 +0000 (+0200) Subject: s3:passdb: don't clear the LM HASH without a password change X-Git-Tag: tdb-1.4.11~109 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9afe7b7a0f248d2d31dfc2a13bd61906d113c932;p=thirdparty%2Fsamba.git s3:passdb: don't clear the LM HASH without a password change Updating things like the bad pwd count should not clear the stored LM HASH with 'lanman auth = no'. This allows testing with 'lanman auth = no' and 'lanman auth = yes'. BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705 Signed-off-by: Stefan Metzmacher Reviewed-by: Andreas Schneider --- diff --git a/python/samba/tests/s3passdb.py b/python/samba/tests/s3passdb.py index b584e07fc98..eac3be6163e 100644 --- a/python/samba/tests/s3passdb.py +++ b/python/samba/tests/s3passdb.py @@ -90,7 +90,7 @@ class PassdbTestCase(TestCaseInTempDir): self.assertEqual([-1 for i in range(21)], user.hours) self.assertEqual(21, user.hours_len) self.assertEqual(9223372036854775807, user.kickoff_time) - self.assertEqual(None, user.lanman_passwd) + self.assertEqual(b'U)\x02\x03\x1b\xed\xe9\xef\xaa\xd3\xb45\xb5\x14\x04\xee', user.lanman_passwd) self.assertEqual(9223372036854775807, user.logoff_time) self.assertEqual(0, user.logon_count) self.assertEqual(168, user.logon_divs) diff --git a/selftest/knownfail.d/samba3.blackbox.smb1_lanman_plaintext b/selftest/knownfail.d/samba3.blackbox.smb1_lanman_plaintext index e45d92c32ed..1b1696fb850 100644 --- a/selftest/knownfail.d/samba3.blackbox.smb1_lanman_plaintext +++ b/selftest/knownfail.d/samba3.blackbox.smb1_lanman_plaintext @@ -1,4 +1 @@ -^samba3.blackbox.smb1_lanman_plaintext.test_lm_ok.simpleserver ^samba3.blackbox.smb1_lanman_plaintext.test_plaintext_ok.simpleserver -^samba3.blackbox.smb1_lanman_plaintext.test_lm_ok.nt4_member -^samba3.blackbox.smb1_lanman_plaintext.test_plaintext_ok.nt4_member diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index 6789cc0824e..a6e45a59b13 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -857,7 +857,7 @@ bool pdb_set_lanman_passwd(struct samu *sampass, const uint8_t pwd[LM_HASH_LEN], /* on keep the password if we are allowing LANMAN authentication */ - if (pwd && lp_lanman_auth() ) { + if (pwd && (flag != PDB_CHANGED || lp_lanman_auth())) { sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN); } else { sampass->lm_pw = data_blob_null;