From: Douglas Bagnall Date: Sun, 11 Jan 2026 10:15:53 +0000 (+1300) Subject: dsdb:password_hash: "policy hints" resets honour minPwdAge X-Git-Tag: tdb-1.4.15~95 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=cdf2defdc573a01b8308dd1710a73bb2a4e088bb;p=thirdparty%2Fsamba.git dsdb:password_hash: "policy hints" resets honour minPwdAge As always, a reset returns UNWILLING_TO_PERFORM even though it is pretending to be a change due to the control. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12020 Signed-off-by: Douglas Bagnall Reviewed-by: Gary Lockyer --- diff --git a/selftest/knownfail.d/password-policy-hints b/selftest/knownfail.d/password-policy-hints index 55704df344f..495481e4fbf 100644 --- a/selftest/knownfail.d/password-policy-hints +++ b/selftest/knownfail.d/password-policy-hints @@ -1,3 +1,2 @@ ^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_history ^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_deprecated_history -^samba4\.ldap\.passwords\.python.+test_unicodePwd_policy_hints_deprecated_password_age diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c index 41887462073..e256e864978 100644 --- a/source4/dsdb/samdb/ldb_modules/password_hash.c +++ b/source4/dsdb/samdb/ldb_modules/password_hash.c @@ -2964,9 +2964,12 @@ static int check_password_restrictions(struct setup_password_fields_io *io, WERR /* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */ if ((io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) && - !io->ac->pwd_reset) - { - ret = LDB_ERR_CONSTRAINT_VIOLATION; + (!io->ac->pwd_reset || io->ac->policy_hints_reset_is_change)) { + if (io->ac->pwd_reset) { + ret = LDB_ERR_UNWILLING_TO_PERFORM; + } else { + ret = LDB_ERR_CONSTRAINT_VIOLATION; + } *werror = WERR_PASSWORD_RESTRICTION; ldb_asprintf_errstring(ldb, "%08X: %s - check_password_restrictions: "