s4:password_hash LDB module - allow to compare against both NT and LM hashes on passw...

This is to match the SAMR password change behaviour.

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index cf239fb90322c95bd64232a37c009f01c866fb04..e90653f7ec276ceeb174942a4f64ec1d1e4c3d44 100644 (file)
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1439,7 +1439,7 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
        if (!io->ac->pwd_reset && !io->ac->change_old_pw_checked) {
                bool nt_hash_checked = false;
 
-               /* we need to old nt or lm hash given by the client */
+               /* we need the old nt or lm hash given by the client */
                if (!io->og.nt_hash && !io->og.lm_hash) {
                        ldb_asprintf_errstring(ldb,
                                "check_password_restrictions: "
@@ -1878,15 +1878,6 @@ static int setup_io(struct ph_context *ac,
                return LDB_ERR_UNWILLING_TO_PERFORM;
        }
 
-       /* refuse the change if someone wants to compare against both
-        * hashes at the same time for a "password modify" operation... */
-       if (io->og.nt_hash && io->og.lm_hash) {
-               ldb_asprintf_errstring(ldb,
-                       "setup_io: "
-                       "it's only allowed to provide the old password in hash format as 'unicodePwd' or as 'dBCSPwd'");
-               return LDB_ERR_UNWILLING_TO_PERFORM;
-       }
-
        /* Decides if we have a password modify or password reset operation */
        if (ac->req->operation == LDB_ADD) {
                /* On "add" we have only "password reset" */