Merge branch 'v4-0-test' into id10ts-registry

(This used to be commit f98b59021a5ea39c7970ebc5520d17775e500b8c)

5 files changed, 38 insertions, 29 deletions

diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index 9189640150..4cb8d2b304 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -226,7 +226,9 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
 {
 	struct samr_Password *lm_pwd, *nt_pwd;
 	NTSTATUS nt_status;
-	uint16_t acct_flags = samdb_result_acct_flags(msgs[0], "userAccountControl");
+	struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msgs_domain_ref[0], "nCName", NULL);
+
+	uint16_t acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msgs[0], domain_dn);
 	
 	/* Quit if the account was locked out. */
 	if (acct_flags & ACB_AUTOLOCK) {
diff --git a/source4/auth/config.mk b/source4/auth/config.mk
index 5b320bcf36..369c5bb4e6 100644
--- a/source4/auth/config.mk
+++ b/source4/auth/config.mk
@@ -6,13 +6,14 @@ mkinclude credentials/config.mk
 
 [SUBSYSTEM::auth_session]
 OBJ_FILES = session.o
-PUBLIC_HEADERS = session.h
-PUBLIC_PROTO_HEADER = session_proto.h
+PRIVATE_PROTO_HEADER = session_proto.h
 PUBLIC_DEPENDENCIES = CREDENTIALS
 
+PUBLIC_HEADERS += auth/session.h
+
 [SUBSYSTEM::auth_system_session]
 OBJ_FILES = system_session.o
-PUBLIC_PROTO_HEADER = system_session_proto.h
+PRIVATE_PROTO_HEADER = system_session_proto.h
 PUBLIC_DEPENDENCIES = CREDENTIALS
 PRIVATE_DEPENDENCIES = auth_session LIBSAMBA-UTIL LIBSECURITY 
 
@@ -81,8 +82,7 @@ OBJ_FILES = pam_errors.o
 [SUBSYSTEM::auth]
 #VERSION = 0.0.1
 #SO_VERSION = 0
-PUBLIC_HEADERS = auth.h
-PUBLIC_PROTO_HEADER = auth_proto.h
+PRIVATE_PROTO_HEADER = auth_proto.h
 OBJ_FILES = \
 		auth.o \
 		auth_util.o \
@@ -92,6 +92,8 @@ PRIVATE_DEPENDENCIES = LIBSAMBA-UTIL
 # End SUBSYSTEM auth
 #######################
 
+PUBLIC_HEADERS += auth/auth.h
+
 [PYTHON::swig_auth]
 PUBLIC_DEPENDENCIES = auth_system_session
 PRIVATE_DEPENDENCIES = SAMDB 
diff --git a/source4/auth/credentials/config.mk b/source4/auth/credentials/config.mk
index fee9519ae5..ef8db50109 100644
--- a/source4/auth/credentials/config.mk
+++ b/source4/auth/credentials/config.mk
@@ -1,8 +1,7 @@
 #################################
 # Start SUBSYSTEM CREDENTIALS
 [SUBSYSTEM::CREDENTIALS]
-PUBLIC_PROTO_HEADER = credentials_proto.h
-PUBLIC_HEADERS = credentials.h credentials_krb5.h
+PRIVATE_PROTO_HEADER = credentials_proto.h
 OBJ_FILES = credentials.o \
 		credentials_files.o \
 		credentials_ntlm.o \
@@ -13,6 +12,8 @@ PUBLIC_DEPENDENCIES = \
 PRIVATE_DEPENDENCIES = \
 		SECRETS
 
+PUBLIC_HEADERS += $(addprefix auth/credentials/, credentials.h credentials_krb5.h)
+
 [PYTHON::swig_credentials]
 PUBLIC_DEPENDENCIES = CREDENTIALS LIBCMDLINE_CREDENTIALS
 SWIG_FILE = credentials.i
diff --git a/source4/auth/gensec/config.mk b/source4/auth/gensec/config.mk
index 9aab2c704e..b60f039284 100644
--- a/source4/auth/gensec/config.mk
+++ b/source4/auth/gensec/config.mk
@@ -4,14 +4,15 @@
 PC_FILE = gensec.pc
 VERSION = 0.0.1
 SO_VERSION = 0
-PUBLIC_HEADERS = gensec.h spnego.h
-PUBLIC_PROTO_HEADER = gensec_proto.h
+PRIVATE_PROTO_HEADER = gensec_proto.h
 OBJ_FILES = gensec.o socket.o
 PUBLIC_DEPENDENCIES = \
 		CREDENTIALS LIBSAMBA-UTIL LIBCRYPTO ASN1_UTIL samba-socket LIBPACKET
 # End SUBSYSTEM gensec
 #################################
 
+PUBLIC_HEADERS += $(addprefix auth/gensec/, gensec.h spnego.h)
+
 ################################################
 # Start MODULE gensec_krb5
 [MODULE::gensec_krb5]
diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index fdd7de7c71..9a8045f62d 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -149,19 +149,20 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 	const char *workstation_list;
 	NTTIME acct_expiry;
 	NTTIME must_change_time;
-	NTTIME last_set_time;
 
 	struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx, sam_ctx, NULL));
 
 	NTTIME now;
 	DEBUG(4,("authsam_account_ok: Checking SMB password for user %s\n", name_for_logs));
 
-	acct_flags = samdb_result_acct_flags(msg, "userAccountControl");
+	acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn);
 	
 	acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
+
+	/* Check for when we must change this password, taking the
+	 * userAccountControl flags into account */
 	must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
 							      domain_dn, msg);
-	last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0);
 
 	workstation_list = samdb_result_string(msg, "userWorkstations", NULL);
 
@@ -186,22 +187,20 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_ACCOUNT_EXPIRED;
 	}
 
-	if (!(acct_flags & ACB_PWNOEXP)) {
-		/* check for immediate expiry "must change at next logon" */
-		if (must_change_time == 0 && last_set_time != 0) {
-			DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", 
-				 name_for_logs));
-			return NT_STATUS_PASSWORD_MUST_CHANGE;
-		}
+	/* check for immediate expiry "must change at next logon" */
+	if (must_change_time == 0) {
+		DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", 
+			 name_for_logs));
+		return NT_STATUS_PASSWORD_MUST_CHANGE;
+	}
 
-		/* check for expired password */
-		if ((must_change_time != 0) && (must_change_time < now)) {
-			DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", 
-				 name_for_logs));
-			DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", 
-				 nt_time_string(mem_ctx, must_change_time)));
-			return NT_STATUS_PASSWORD_EXPIRED;
-		}
+	/* check for expired password */
+	if (must_change_time < now) {
+		DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", 
+			 name_for_logs));
+		DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", 
+			 nt_time_string(mem_ctx, must_change_time)));
+		return NT_STATUS_PASSWORD_EXPIRED;
 	}
 
 	/* Test workstation. Workstation list is comma separated. */
@@ -267,6 +266,7 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
 	struct dom_sid **groupSIDs = NULL;
 	struct dom_sid *account_sid;
 	struct dom_sid *primary_group_sid;
+	struct ldb_dn *domain_dn;
 	const char *str;
 	struct ldb_dn *ncname;
 	int i;
@@ -368,7 +368,10 @@ _PUBLIC_ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_conte
 	server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);
 	server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0);
 
-	server_info->acct_flags = samdb_result_acct_flags(msg, "userAccountControl");
+	domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", NULL);
+
+	server_info->acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, 
+							  msg, domain_dn);
 
 	server_info->user_session_key = user_sess_key;
 	server_info->lm_session_key = lm_sess_key;