commit 618d7b2a2e675282c36c585ec284e36addf3fc3a
Author: Stefan Gohmann <gohmann@univention.de>
Date:   Tue Jul 23 07:10:42 2019 +0200

    Bug #49905: Samba 4.9 no longer allows the removal of the dBCSPwd (LM hash) attribute. The S4 connector now respects this. Unfortunately, the old lm hash is still available in Samba 4

diff --git a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
index e4ea406fc6..af7ffbe439 100644
--- a/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
+++ b/services/univention-s4-connector/modules/univention/s4connector/s4/password.py
@@ -600,11 +600,12 @@ def password_sync_ucs_to_s4(s4connector, key, object):
 	if not ucsLMhash == s4LMhash:
 		ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: LM Hash S4: %s LM Hash UCS: %s" % (s4LMhash, ucsLMhash))
 		pwd_set = True
-		if dBCSPwd_attr:
-			modlist.append((ldap.MOD_DELETE, 'dBCSPwd', dBCSPwd_attr))
 		if ucsLMhash:
 			dBCSPwd_new = binascii.a2b_hex(ucsLMhash)
-			modlist.append((ldap.MOD_ADD, 'dBCSPwd', dBCSPwd_new))
+			modlist.append((ldap.MOD_REPLACE, 'dBCSPwd', dBCSPwd_new))
+		else:
+			ud.debug(ud.LDAP, ud.INFO, "password_sync_ucs_to_s4: dBCSPwd should be removed in Samba 4 which is no longer possible, see Bug https://forge.univention.org/bugzilla/show_bug.cgi?id=49905")
+			# modlist.append((ldap.MOD_DELETE, 'dBCSPwd', dBCSPwd_attr))
 
 	if pwd_set or not supplementalCredentials:
 		if krb5Principal: