s3:passdb: don't clear the LM HASH without a password change

Updating things like the bad pwd count should not clear the
stored LM HASH with 'lanman auth = no'.

This allows testing with 'lanman auth = no' and 'lanman auth = yes'.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=9705

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>

python/samba/tests/s3passdb.py

@@ -90,7 +90,7 @@ class PassdbTestCase(TestCaseInTempDir):
         self.assertEqual([-1 for i in range(21)], user.hours)
         self.assertEqual(21, user.hours_len)
         self.assertEqual(9223372036854775807, user.kickoff_time)
-        self.assertEqual(None, user.lanman_passwd)
+        self.assertEqual(b'U)\x02\x03\x1b\xed\xe9\xef\xaa\xd3\xb45\xb5\x14\x04\xee', user.lanman_passwd)
         self.assertEqual(9223372036854775807, user.logoff_time)
         self.assertEqual(0, user.logon_count)
         self.assertEqual(168, user.logon_divs)

selftest/knownfail.d/samba3.blackbox.smb1_lanman_plaintext

@@ -1,4 +1 @@
-^samba3.blackbox.smb1_lanman_plaintext.test_lm_ok.simpleserver
 ^samba3.blackbox.smb1_lanman_plaintext.test_plaintext_ok.simpleserver
-^samba3.blackbox.smb1_lanman_plaintext.test_lm_ok.nt4_member
-^samba3.blackbox.smb1_lanman_plaintext.test_plaintext_ok.nt4_member

source3/passdb/pdb_get_set.c

@@ -857,7 +857,7 @@ bool pdb_set_lanman_passwd(struct samu *sampass, const uint8_t pwd[LM_HASH_LEN],
 
 	/* on keep the password if we are allowing LANMAN authentication */
 
-	if (pwd && lp_lanman_auth() ) {
+	if (pwd && (flag != PDB_CHANGED || lp_lanman_auth())) {
 		sampass->lm_pw = data_blob_talloc(sampass, pwd, LM_HASH_LEN);
 	} else {
 		sampass->lm_pw = data_blob_null;