summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Allison <jra@samba.org>2011-05-23 17:14:47 -0700
committerJeremy Allison <jra@samba.org>2011-05-24 20:14:35 +0200
commit309a8fd7c62e7008b1a4c4c77c3a9ea35ed4bb07 (patch)
tree293872e001f357c69e8453e7e19caa9336e5b392
parent53829fd4951fc1189d64ecef1c1f58d21f0fb38b (diff)
downloadsamba-309a8fd7c62e7008b1a4c4c77c3a9ea35ed4bb07.tar.gz
samba-309a8fd7c62e7008b1a4c4c77c3a9ea35ed4bb07.tar.bz2
samba-309a8fd7c62e7008b1a4c4c77c3a9ea35ed4bb07.zip
Fix bug #7054 - X account flag does not work when pwdlastset is 0.
Don't allow pass_last_set_time to be set to zero (which means "user must change password on next logon") if user object doesn't allow password change. Don't automatically allow user object password change if "user must change password on next logon" is set. Jim please check. Jeremy.
-rw-r--r--source3/passdb/pdb_get_set.c3
-rw-r--r--source3/rpc_server/samr/srv_samr_util.c11
2 files changed, 11 insertions, 3 deletions
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 6c1a2ab23d..782c08fc1c 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -123,8 +123,7 @@ time_t pdb_get_pass_must_change_time(const struct samu *sampass)
bool pdb_get_pass_can_change(const struct samu *sampass)
{
- if (sampass->pass_can_change_time == get_time_t_max() &&
- sampass->pass_last_set_time != 0)
+ if (sampass->pass_can_change_time == get_time_t_max())
return False;
return True;
}
diff --git a/source3/rpc_server/samr/srv_samr_util.c b/source3/rpc_server/samr/srv_samr_util.c
index 29123321f8..d052846b2e 100644
--- a/source3/rpc_server/samr/srv_samr_util.c
+++ b/source3/rpc_server/samr/srv_samr_util.c
@@ -612,7 +612,16 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
DEBUG(10,("%s SAMR_FIELD_EXPIRED_FLAG: %02X\n", l,
from->password_expired));
if (from->password_expired != 0) {
- pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
+ /* Only allow the set_time to zero (which means
+ "User Must Change Password on Next Login"
+ if the user object allows password change. */
+ if (pdb_get_pass_can_change(to)) {
+ pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
+ } else {
+ DEBUG(10,("%s Disallowing set of 'User Must "
+ "Change Password on Next Login' as "
+ "user object disallows this.\n", l));
+ }
} else {
/* A subtlety here: some windows commands will
clear the expired flag even though it's not