s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon

Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.

It means an LDAP simble bind will now honour
'old password allowed period'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2ad44686229ba02f98de5769c26a3dfeaf5ada2b)

2 files changed, 3 insertions, 3 deletions

diff --git a/selftest/knownfail.d/samba4.ldap.login_basics b/selftest/knownfail.d/samba4.ldap.login_basics
deleted file mode 100644
index 9854b5ce76f..00000000000
--- a/selftest/knownfail.d/samba4.ldap.login_basics
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_simple
diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index dbbf97665db..ddde4363d92 100644
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -410,10 +410,11 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
 			return NT_STATUS_WRONG_PASSWORD;
 		}
 
-		if (user_info->password_state != AUTH_PASSWORD_RESPONSE) {
+		if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) {
 			/*
 			 * The authentication was OK against the previous password,
-			 * but it's not a NTLM network authentication.
+			 * but it's not a NTLM network authentication,
+			 * LDAP simple bind or something similar.
 			 *
 			 * We just return the original wrong password.
 			 * This skips the update of the bad pwd count,