s4:dsdb/password_hash: do the min password age checks first

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>

Signed-off-by: Michael Adam <obnox@samba.org>
Signed-off-by: Stefan Metzmacher <metze@samba.org>

1 files changed, 13 insertions, 11 deletions

diff --git a/source4/dsdb/samdb/ldb_modules/password_hash.c b/source4/dsdb/samdb/ldb_modules/password_hash.c
index 4644628b9f..9bf596c3bc 100644
--- a/source4/dsdb/samdb/ldb_modules/password_hash.c
+++ b/source4/dsdb/samdb/ldb_modules/password_hash.c
@@ -1954,6 +1954,19 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
 		return LDB_SUCCESS;
 	}
 
+	/* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
+	if ((io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) &&
+	    !io->ac->pwd_reset)
+	{
+		ret = LDB_ERR_CONSTRAINT_VIOLATION;
+		ldb_asprintf_errstring(ldb,
+			"%08X: %s - check_password_restrictions: "
+			"password is too young to change!",
+			W_ERROR_V(WERR_PASSWORD_RESTRICTION),
+			ldb_strerror(ret));
+		return ret;
+	}
+
 	/*
 	 * Fundamental password checks done by the call
 	 * "samdb_check_password".
@@ -2064,17 +2077,6 @@ static int check_password_restrictions(struct setup_password_fields_io *io)
 		return ret;
 	}
 
-	/* Password minimum age: yes, this is a minus. The ages are in negative 100nsec units! */
-	if (io->u.pwdLastSet - io->ac->status->domain_data.minPwdAge > io->g.last_set) {
-		ret = LDB_ERR_CONSTRAINT_VIOLATION;
-		ldb_asprintf_errstring(ldb,
-			"%08X: %s - check_password_restrictions: "
-			"password is too young to change!",
-			W_ERROR_V(WERR_PASSWORD_RESTRICTION),
-			ldb_strerror(ret));
-		return ret;
-	}
-
 	return LDB_SUCCESS;
 }