Generate ACB_PW_EXPIRED correctly

More correctly handle expired passwords, and do not expire machine accounts.

Test that the behaviour is consistant with windows, using the RPC-SAMR test.

Change NETLOGON to directly query the userAccountControl, just because
we don't want to do the extra expiry processing here.

Andrew Bartlett
(This used to be commit acda1f69bc9b9c43e157e254d0bae54d11363661)

1 files changed, 30 insertions, 4 deletions

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index bee1eac480..c9c0285604 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -596,11 +596,37 @@ struct samr_LogonHours samdb_result_logon_hours(TALLOC_CTX *mem_ctx, struct ldb_
 
 /*
   pull a set of account_flags from a result set. 
+
+  This requires that the attributes: 
+   pwdLastSet
+   userAccountControl
+  be included in 'msg'
 */
-uint16_t samdb_result_acct_flags(struct ldb_message *msg, const char *attr)
-{
-	uint_t userAccountControl = ldb_msg_find_attr_as_uint(msg, attr, 0);
-	return samdb_uf2acb(userAccountControl);
+uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ctx, 
+				 struct ldb_message *msg, struct ldb_dn *domain_dn)
+{
+	uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0);
+	uint32_t acct_flags = samdb_uf2acb(userAccountControl); 
+	if ((userAccountControl & UF_NORMAL_ACCOUNT) && !(userAccountControl & UF_DONT_EXPIRE_PASSWD)) {
+		NTTIME must_change_time;
+		NTTIME pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0);
+		if (pwdLastSet == 0) {
+			acct_flags |= ACB_PW_EXPIRED;
+		} else {
+			NTTIME now;
+			
+			must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
+									      domain_dn, msg);
+			
+			/* Test account expire time */
+			unix_to_nt_time(&now, time(NULL));
+			/* check for expired password */
+			if ((must_change_time != 0) && (must_change_time < now)) {
+				acct_flags |= ACB_PW_EXPIRED;
+			}
+		}
+	}
+	return acct_flags;
 }