diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-03-04 19:09:41 +0100 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2022-03-16 13:41:14 +0000 |
commit | 64b2075c119e0cfa401082993f692bd48a343090 (patch) | |
tree | d3d2b19a53a977ce1e12f8535a362aec0251703f | |
parent | cafbb3e7307e0c1b1442ae02a8b83bb017a5eea9 (diff) | |
download | samba-64b2075c119e0cfa401082993f692bd48a343090.tar.gz |
s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon
Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.
It means an LDAP simble bind will now honour
'old password allowed period'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2ad44686229ba02f98de5769c26a3dfeaf5ada2b)
-rw-r--r-- | selftest/knownfail.d/samba4.ldap.login_basics | 1 | ||||
-rw-r--r-- | source4/auth/ntlm/auth_sam.c | 5 |
2 files changed, 3 insertions, 3 deletions
diff --git a/selftest/knownfail.d/samba4.ldap.login_basics b/selftest/knownfail.d/samba4.ldap.login_basics deleted file mode 100644 index 9854b5ce76f..00000000000 --- a/selftest/knownfail.d/samba4.ldap.login_basics +++ /dev/null @@ -1 +0,0 @@ -^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_simple diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c index dbbf97665db..ddde4363d92 100644 --- a/source4/auth/ntlm/auth_sam.c +++ b/source4/auth/ntlm/auth_sam.c @@ -410,10 +410,11 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con return NT_STATUS_WRONG_PASSWORD; } - if (user_info->password_state != AUTH_PASSWORD_RESPONSE) { + if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) { /* * The authentication was OK against the previous password, - * but it's not a NTLM network authentication. + * but it's not a NTLM network authentication, + * LDAP simple bind or something similar. * * We just return the original wrong password. * This skips the update of the bad pwd count, |