Sorry to touch such an internal function. But I was quite surprised that

'security = user', 'encrypt passwords = no' did not work anymore.
This is on quite a standard SuSE 7.3, ./configure.developer --with-tdbsam.
I can provide a config.log / config.h on demand.

Please re-check for consequences, I don't really oversee that file.

Thanks,

Volker
(This used to be commit ba754b57dd)

source3/auth/pass_check.c

@@ -609,6 +609,8 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
 	if (((!*password) || (!pwlen)) && !lp_null_passwords())
 		return NT_STATUS_LOGON_FAILURE;
 
+	this_salt[0] = 0;
+
 #if defined(WITH_PAM) 
 
 	/*
@@ -645,8 +647,10 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
 		   perhaps for IPC password changing requests */
 
 		spass = getspnam(pass->pw_name);
-		if (spass && spass->sp_pwdp)
+		if (spass && spass->sp_pwdp) {
 			fstrcpy(this_crypted, spass->sp_pwdp);
+			fstrcpy(this_salt, spass->sp_pwdp);
+		}
 	}
 #elif defined(IA_UINFO)
 	{
@@ -705,7 +709,8 @@ NTSTATUS pass_check(const struct passwd *pass, const char *user, const char *pas
 #endif
 
 	/* extract relevant info */
-	fstrcpy(this_salt, pass->pw_passwd);
+	if (this_salt[0] == 0)
+		fstrcpy(this_salt, pass->pw_passwd);
 
 #if defined(HAVE_TRUNCATED_SALT)
 	/* crypt on some platforms (HPUX in particular)