s4:auth_sam: use USER_INFO_INTERACTIVE_LOGON as inducation for an interactive logon

Using != AUTH_PASSWORD_RESPONSE is not the correct indication
due to the local mappings from AUTH_PASSWORD_PLAIN via
AUTH_PASSWORD_HASH to AUTH_PASSWORD_RESPONSE.

It means an LDAP simble bind will now honour
'old password allowed period'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13879
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15001

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

diff --git a/selftest/knownfail.d/samba4.ldap.login_basics b/selftest/knownfail.d/samba4.ldap.login_basics
deleted file mode 100644 (file)
index 9854b5c..0000000
--- a/selftest/knownfail.d/samba4.ldap.login_basics
+++ /dev/null
@@ -1 +0,0 @@
-^samba4.ldap.login_basics.python.*.__main__.BasicUserAuthTests.test_login_basics_simple

diff --git a/source4/auth/ntlm/auth_sam.c b/source4/auth/ntlm/auth_sam.c
index dbbf97665db300a6a3a295b1cb35d43b802ef417..ddde4363d9268489500a32b41943edf0357952db 100644 (file)
--- a/source4/auth/ntlm/auth_sam.c
+++ b/source4/auth/ntlm/auth_sam.c
@@ -410,10 +410,11 @@ static NTSTATUS authsam_password_check_and_record(struct auth4_context *auth_con
                        return NT_STATUS_WRONG_PASSWORD;
                }
 
-               if (user_info->password_state != AUTH_PASSWORD_RESPONSE) {
+               if (user_info->flags & USER_INFO_INTERACTIVE_LOGON) {
                        /*
                         * The authentication was OK against the previous password,
-                        * but it's not a NTLM network authentication.
+                        * but it's not a NTLM network authentication,
+                        * LDAP simple bind or something similar.
                         *
                         * We just return the original wrong password.
                         * This skips the update of the bad pwd count,