Don't reset password last set time just because the expired flag

is set to 0.  If the account wasn't expired but autolocked,
using "net user /dom <username> /active:y" would clear this,
incorrectly setting the current time as the new "password last set"
time.
(This used to be commit 0f292d70f698b8ae885005b5704a96476e876571)

1 files changed, 9 insertions, 1 deletions

diff --git a/source3/rpc_server/srv_samr_util.c b/source3/rpc_server/srv_samr_util.c
index 74daf46e84..ef588aed1a 100644
--- a/source3/rpc_server/srv_samr_util.c
+++ b/source3/rpc_server/srv_samr_util.c
@@ -339,7 +339,15 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
 		if (from->password_expired == PASS_MUST_CHANGE_AT_NEXT_LOGON) {
 			pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
 		} else {
-			pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED);
+			/* A subtlety here: some windows commands will
+			   clear the expired flag even though it's not
+			   set, and we don't want to reset the time
+			   in these caess.  "net user /dom <user> /active:y"
+			   for example, to clear an autolocked acct.
+			   We must check to see if it's expired first. jmcd */
+			stored_time = pdb_get_pass_last_set_time(to);
+			if (stored_time == 0)
+				pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED);
 		}
 	}
 }