summaryrefslogtreecommitdiff
path: root/source4/kdc
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-11-08 02:30:42 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:54 -0500
commit9a9604b26c7639e3ebf989e6c9195bcca008d65c (patch)
tree0689334724d403fa7934180bef50524907a6fd90 /source4/kdc
parent30d164d9f08af7edde9c417650b60d354e02c61c (diff)
downloadsamba-9a9604b26c7639e3ebf989e6c9195bcca008d65c.tar.gz
samba-9a9604b26c7639e3ebf989e6c9195bcca008d65c.tar.bz2
samba-9a9604b26c7639e3ebf989e6c9195bcca008d65c.zip
r11572: Add support for accountExpires and password expiry (should cause the
ticket to be reduced in validity). Andrew Bartlett (This used to be commit 5575a1443b5225140f401bde7f897f96dfe73b39)
Diffstat (limited to 'source4/kdc')
-rw-r--r--source4/kdc/hdb-ldb.c34
1 files changed, 32 insertions, 2 deletions
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 7f2289bdeb..bc83973e93 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -219,9 +219,11 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
krb5_error_code ret = 0;
const char *dnsdomain = ldb_msg_find_string(realm_ref_msg, "dnsRoot", NULL);
char *realm = strupper_talloc(mem_ctx, dnsdomain);
+ struct ldb_dn *domain_dn = samdb_result_dn(mem_ctx, realm_ref_msg, "nCName", ldb_dn_new(mem_ctx));
struct hdb_ldb_private *private;
hdb_entry *ent = &entry_ex->entry;
+ NTTIME acct_expiry;
memset(ent, 0, sizeof(*ent));
@@ -308,9 +310,37 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
ent->valid_start = NULL;
- ent->valid_end = NULL;
- ent->pw_end = NULL;
+ acct_expiry = samdb_result_nttime(msg, "accountExpires", -1LL);
+ if (acct_expiry != -1LL && acct_expiry != 0x7FFFFFFFFFFFFFFFLL) {
+ ent->valid_end = malloc(sizeof(*ent->valid_end));
+ if (ent->valid_end == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+ *ent->valid_end = nt_time_to_unix(acct_expiry);
+ } else {
+ ent->valid_end = NULL;
+ }
+ if ((ent_type != HDB_LDB_ENT_TYPE_KRBTGT) && (!(userAccountControl & UF_DONT_EXPIRE_PASSWD))) {
+ NTTIME must_change_time
+ = samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx,
+ domain_dn, msg,
+ "pwdLastSet");
+ if (must_change_time != 0) {
+ ent->pw_end = malloc(sizeof(*ent->pw_end));
+ if (ent->pw_end == NULL) {
+ ret = ENOMEM;
+ goto out;
+ }
+ *ent->pw_end = nt_time_to_unix(must_change_time);
+ } else {
+ ent->pw_end = NULL;
+ }
+ } else {
+ ent->pw_end = NULL;
+ }
+
ent->max_life = NULL;
ent->max_renew = NULL;