summaryrefslogtreecommitdiff
path: root/source4
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2006-03-07 03:33:26 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:52:22 -0500
commit61fe79d02200ef4f23652efe5995c84bbacd220a (patch)
treebfd4af7968742bee23d458ed4b139a8d933bab0f /source4
parent6a73835b0946a015d1bad0b502c35d92777d2446 (diff)
downloadsamba-61fe79d02200ef4f23652efe5995c84bbacd220a.tar.gz
samba-61fe79d02200ef4f23652efe5995c84bbacd220a.tar.bz2
samba-61fe79d02200ef4f23652efe5995c84bbacd220a.zip
r13910: Fix the 'your password has expired' on every login. We now consider
if the 'password does not expire' flag has been set, filling in the PAC and netlogon reply correctly if so. Andrew Bartlett (This used to be commit c530ab5dc6865c422382bc0afa7a86f7ec1acdf2)
Diffstat (limited to 'source4')
-rw-r--r--source4/auth/auth_sam.c29
-rw-r--r--source4/dsdb/samdb/samdb.c11
-rw-r--r--source4/kdc/hdb-ldb.c12
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c2
4 files changed, 30 insertions, 24 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index c28aaf2434..f1ea2a783c 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -172,8 +172,7 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
- domain_dn, msg,
- "pwdLastSet");
+ domain_dn, msg);
last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0);
workstation_list = samdb_result_string(msg, "userWorkstations", NULL);
@@ -423,10 +422,10 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
}
NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
- struct ldb_message *msg,
- struct ldb_message *msg_domain_ref,
- DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
- struct auth_serversupplied_info **_server_info)
+ struct ldb_message *msg,
+ struct ldb_message *msg_domain_ref,
+ DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
+ struct auth_serversupplied_info **_server_info)
{
struct auth_serversupplied_info *server_info;
struct ldb_message **group_msgs;
@@ -523,13 +522,17 @@ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_c
server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0);
- ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx));
-
- server_info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx,
- ncname, msg, "pwdLastSet");
- server_info->force_password_change = samdb_result_force_password_change(sam_ctx, mem_ctx,
- ncname, msg, "pwdLastSet");
-
+ ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", NULL);
+ if (!ncname) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ server_info->allow_password_change
+ = samdb_result_allow_password_change(sam_ctx, mem_ctx,
+ ncname, msg, "pwdLastSet");
+ server_info->force_password_change
+ = samdb_result_force_password_change(sam_ctx, mem_ctx,
+ ncname, msg);
+
server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);
server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0);
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 3d5535602b..fe82b380c5 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -29,6 +29,7 @@
#include "system/filesys.h"
#include "db_wrap.h"
#include "dsdb/samdb/samdb.h"
+#include "ads.h"
/*
connect to the SAM database
@@ -487,12 +488,16 @@ NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
const struct ldb_dn *domain_dn,
- struct ldb_message *msg,
- const char *attr)
+ struct ldb_message *msg)
{
- uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
+ uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0);
+ uint32_t user_flags = samdb_result_uint64(msg, "userAccountControl", 0);
int64_t maxPwdAge;
+ if (user_flags & UF_DONT_EXPIRE_PASSWD) {
+ return 0x7FFFFFFFFFFFFFFFULL;
+ }
+
if (attr_time == 0) {
return 0;
}
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 0306bf3106..5766a9acfa 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -355,21 +355,19 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
*entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry);
}
- if (!(userAccountControl & UF_DONT_EXPIRE_PASSWD) &&
- (ent_type != HDB_LDB_ENT_TYPE_KRBTGT)) {
+ if (ent_type != HDB_LDB_ENT_TYPE_KRBTGT) {
NTTIME must_change_time
= samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx,
- domain_dn, msg,
- "pwdLastSet");
- if (must_change_time != 0) {
+ domain_dn, msg);
+ if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
+ entry_ex->entry.pw_end = NULL;
+ } else {
entry_ex->entry.pw_end = malloc(sizeof(*entry_ex->entry.pw_end));
if (entry_ex->entry.pw_end == NULL) {
ret = ENOMEM;
goto out;
}
*entry_ex->entry.pw_end = nt_time_to_unix(must_change_time);
- } else {
- entry_ex->entry.pw_end = NULL;
}
} else {
entry_ex->entry.pw_end = NULL;
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 6c109ff0c2..e8828a912f 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -1557,7 +1557,7 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
a_state->domain_state->domain_dn, msg, attr);
#define QUERY_FPASSC(msg, field, attr) \
r->out.info->field = samdb_result_force_password_change(a_state->sam_ctx, mem_ctx, \
- a_state->domain_state->domain_dn, msg, attr);
+ a_state->domain_state->domain_dn, msg);
#define QUERY_LHOURS(msg, field, attr) \
r->out.info->field = samdb_result_logon_hours(mem_ctx, msg, attr);
#define QUERY_AFLAGS(msg, field, attr) \