s3-auth: Do not reset bad password count to 0 if account is disabled

Change-Id: I895435fb278eae5d92b4a8e15d062769c0e8a71a
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 11 insertions, 11 deletions

diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c
index 8bcd40e2de..ff634aa496 100644
--- a/source3/auth/check_samsec.c
+++ b/source3/auth/check_samsec.c
@@ -458,15 +458,21 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
 		goto done;
 	}
 
+	/*
+	 * We must only reset the bad password count if the login was
+	 * successful, including checking account policies
+	 */
+	nt_status = sam_account_ok(mem_ctx, sampass, user_info);
+	if (!NT_STATUS_IS_OK(nt_status)) {
+		goto done;
+	}
+
 	if ((acct_ctrl & ACB_NORMAL) &&
 	    (pdb_get_bad_password_count(sampass) > 0)){
+		NTSTATUS status;
+
 		pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
 		pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
-		updated_badpw = True;
-	}
-
-	if (updated_badpw){
-		NTSTATUS status;
 
 		become_root();
 		status = pdb_update_sam_account(sampass);
@@ -478,12 +484,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge,
 		}
 	}
 
-	nt_status = sam_account_ok(mem_ctx, sampass, user_info);
-
-	if (!NT_STATUS_IS_OK(nt_status)) {
-		goto done;
-	}
-
 	become_root();
 	nt_status = make_server_info_sam(mem_ctx, sampass, server_info);
 	unbecome_root();