diff options
author | Andrew Bartlett <abartlet@samba.org> | 2008-02-29 08:47:42 +1100 |
---|---|---|
committer | Andrew Bartlett <abartlet@samba.org> | 2008-02-29 08:47:42 +1100 |
commit | 3abf47fe87e72b18c94157c3f993b7f2fca8c248 (patch) | |
tree | 55fd6f3611e21827b72a9fe474965fde26b3af28 /source4/dsdb/common | |
parent | 2a209a6a9dcd0c6b7814fa7eb3838dbaf5d57481 (diff) | |
download | samba-3abf47fe87e72b18c94157c3f993b7f2fca8c248.tar.gz samba-3abf47fe87e72b18c94157c3f993b7f2fca8c248.tar.bz2 samba-3abf47fe87e72b18c94157c3f993b7f2fca8c248.zip |
Simplify the 'password must change' logic
This takes the previous patches further, so we catch all the cases
(the KDC looked at the time directly).
Andrew Bartlett
(This used to be commit cda4642a937d249399e25eaa6e5e20a0d440bcbf)
Diffstat (limited to 'source4/dsdb/common')
-rw-r--r-- | source4/dsdb/common/util.c | 39 |
1 files changed, 17 insertions, 22 deletions
diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index c9c0285604..ba8841ceb0 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -469,8 +469,8 @@ NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb, } /* - construct the force_password_change field from the PwdLastSet attribute and the - domain password settings + construct the force_password_change field from the PwdLastSet + attribute, the userAccountControl and the domain password settings */ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, @@ -478,10 +478,12 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, struct ldb_message *msg) { uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0); - uint32_t user_flags = samdb_result_uint64(msg, "userAccountControl", 0); + uint32_t userAccountcontrol = samdb_result_uint64(msg, "userAccountControl", 0); int64_t maxPwdAge; - if (user_flags & UF_DONT_EXPIRE_PASSWD) { + /* Machine accounts don't expire, and there is a flag for 'no expiry' */ + if (!(userAccountControl & UF_NORMAL_ACCOUNT) + || (userAccountControl & UF_DONT_EXPIRE_PASSWD)) { return 0x7FFFFFFFFFFFFFFFULL; } @@ -607,24 +609,17 @@ uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ct { uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); uint32_t acct_flags = samdb_uf2acb(userAccountControl); - if ((userAccountControl & UF_NORMAL_ACCOUNT) && !(userAccountControl & UF_DONT_EXPIRE_PASSWD)) { - NTTIME must_change_time; - NTTIME pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0); - if (pwdLastSet == 0) { - acct_flags |= ACB_PW_EXPIRED; - } else { - NTTIME now; - - must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, - domain_dn, msg); - - /* Test account expire time */ - unix_to_nt_time(&now, time(NULL)); - /* check for expired password */ - if ((must_change_time != 0) && (must_change_time < now)) { - acct_flags |= ACB_PW_EXPIRED; - } - } + NTTIME must_change_time; + NTTIME now; + + must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, + domain_dn, msg); + + /* Test account expire time */ + unix_to_nt_time(&now, time(NULL)); + /* check for expired password */ + if (must_change_time < now) { + acct_flags |= ACB_PW_EXPIRED; } return acct_flags; } |