Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.
It means an LDAP simble bind will now honour
'old password allowed period'.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
+++ /dev/null
-^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_simple
return NT_STATUS_WRONG_PASSWORD;
}
- if (user_info->password_state != AUTH_PASSWORD_RESPONSE) {
+ if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) {
/*
* The authentication was OK against the previous password,
- * but it's not a NTLM network authentication.
+ * but it's not a NTLM network authentication,
+ * LDAP simple bind or something similar.
*
* We just return the original wrong password.
* This skips the update of the bad pwd count,