s4:password_hash LDB module - allow to compare against both NT and LM hashes on password change operations

This is to match the SAMR password change behaviour.

1 files changed, 1 insertions, 10 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index cf239fb903..e90653f7ec 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1439,7 +1439,7 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
 	if (!io->ac->pwd_reset && !io->ac->change_old_pw_checked) {
 		bool nt_hash_checked = false;
 
-		/* we need to old nt or lm hash given by the client */
+		/* we need the old nt or lm hash given by the client */
 		if (!io->og.nt_hash && !io->og.lm_hash) {
 			ldb_asprintf_errstring(ldb,
 				"check_password_restrictions: "
@@ -1878,15 +1878,6 @@ static int setup_io(struct ph_context *ac,
 		return LDB_ERR_UNWILLING_TO_PERFORM;
 	}
 
-	/* refuse the change if someone wants to compare against both
-	 * hashes at the same time for a "password modify" operation... */
-	if (io->og.nt_hash && io->og.lm_hash) {
-		ldb_asprintf_errstring(ldb,
-			"setup_io: "
-			"it's only allowed to provide the old password in hash format as 'unicodePwd' or as 'dBCSPwd'");
-		return LDB_ERR_UNWILLING_TO_PERFORM;
-	}
-
 	/* Decides if we have a password modify or password reset operation */
 	if (ac->req->operation == LDB_ADD) {
 		/* On "add" we have only "password reset" */