diff options
author | Jeremy Allison <jra@samba.org> | 2011-05-23 17:14:47 -0700 |
---|---|---|
committer | Jeremy Allison <jra@samba.org> | 2011-05-24 20:14:35 +0200 |
commit | 309a8fd7c62e7008b1a4c4c77c3a9ea35ed4bb07 (patch) | |
tree | 293872e001f357c69e8453e7e19caa9336e5b392 /source3 | |
parent | 53829fd4951fc1189d64ecef1c1f58d21f0fb38b (diff) | |
download | samba-309a8fd7c62e7008b1a4c4c77c3a9ea35ed4bb07.tar.gz samba-309a8fd7c62e7008b1a4c4c77c3a9ea35ed4bb07.tar.bz2 samba-309a8fd7c62e7008b1a4c4c77c3a9ea35ed4bb07.zip |
Fix bug #7054 - X account flag does not work when pwdlastset is 0.
Don't allow pass_last_set_time to be set to zero (which means
"user must change password on next logon") if user object doesn't
allow password change.
Don't automatically allow user object password change if
"user must change password on next logon" is set.
Jim please check.
Jeremy.
Diffstat (limited to 'source3')
-rw-r--r-- | source3/passdb/pdb_get_set.c | 3 | ||||
-rw-r--r-- | source3/rpc_server/samr/srv_samr_util.c | 11 |
2 files changed, 11 insertions, 3 deletions
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index 6c1a2ab23d..782c08fc1c 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -123,8 +123,7 @@ time_t pdb_get_pass_must_change_time(const struct samu *sampass) bool pdb_get_pass_can_change(const struct samu *sampass) { - if (sampass->pass_can_change_time == get_time_t_max() && - sampass->pass_last_set_time != 0) + if (sampass->pass_can_change_time == get_time_t_max()) return False; return True; } diff --git a/source3/rpc_server/samr/srv_samr_util.c b/source3/rpc_server/samr/srv_samr_util.c index 29123321f8..d052846b2e 100644 --- a/source3/rpc_server/samr/srv_samr_util.c +++ b/source3/rpc_server/samr/srv_samr_util.c @@ -612,7 +612,16 @@ void copy_id21_to_sam_passwd(const char *log_prefix, DEBUG(10,("%s SAMR_FIELD_EXPIRED_FLAG: %02X\n", l, from->password_expired)); if (from->password_expired != 0) { - pdb_set_pass_last_set_time(to, 0, PDB_CHANGED); + /* Only allow the set_time to zero (which means + "User Must Change Password on Next Login" + if the user object allows password change. */ + if (pdb_get_pass_can_change(to)) { + pdb_set_pass_last_set_time(to, 0, PDB_CHANGED); + } else { + DEBUG(10,("%s Disallowing set of 'User Must " + "Change Password on Next Login' as " + "user object disallows this.\n", l)); + } } else { /* A subtlety here: some windows commands will clear the expired flag even though it's not |