diff options
author | Andrew Bartlett <abartlet@samba.org> | 2008-02-29 08:47:42 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2008-02-29 08:47:42 +1100 |
commit | 3abf47fe87e72b18c94157c3f993b7f2fca8c248 (patch) | |
tree | 55fd6f3611e21827b72a9fe474965fde26b3af28 /source4/auth | |
parent | 2a209a6a9dcd0c6b7814fa7eb3838dbaf5d57481 (diff) | |
download | samba-3abf47fe87e72b18c94157c3f993b7f2fca8c248.tar.gz samba-3abf47fe87e72b18c94157c3f993b7f2fca8c248.tar.bz2 samba-3abf47fe87e72b18c94157c3f993b7f2fca8c248.zip |
Simplify the 'password must change' logic
This takes the previous patches further, so we catch all the cases
(the KDC looked at the time directly).
Andrew Bartlett
(This used to be commit cda4642a937d249399e25eaa6e5e20a0d440bcbf)
Diffstat (limited to 'source4/auth')
-rw-r--r-- | source4/auth/sam.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c index abcb72f292..9a8045f62d 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -149,7 +149,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, const char *workstation_list; NTTIME acct_expiry; NTTIME must_change_time; - NTTIME last_set_time; struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx, sam_ctx, NULL)); @@ -159,9 +158,11 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + + /* Check for when we must change this password, taking the + * userAccountControl flags into account */ must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, domain_dn, msg); - last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0); workstation_list = samdb_result_string(msg, "userWorkstations", NULL); @@ -187,14 +188,14 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, } /* check for immediate expiry "must change at next logon" */ - if (!(acct_flags & ACB_PWNOEXP) && (must_change_time == 0 && last_set_time != 0)) { + if (must_change_time == 0) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", name_for_logs)); return NT_STATUS_PASSWORD_MUST_CHANGE; } - /* check for expired password (dynamicly gnerated in samdb_result_acct_flags) */ - if (acct_flags & ACB_PW_EXPIRED) { + /* check for expired password */ + if (must_change_time < now) { DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", name_for_logs)); DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", |