diff options
-rw-r--r-- | source4/auth/sam.c | 11 | ||||
-rw-r--r-- | source4/dsdb/common/util.c | 39 | ||||
-rwxr-xr-x | source4/selftest/samba4_tests.sh | 1 |
3 files changed, 24 insertions, 27 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c index abcb72f292..9a8045f62d 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -149,7 +149,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, const char *workstation_list; NTTIME acct_expiry; NTTIME must_change_time; - NTTIME last_set_time; struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx, sam_ctx, NULL)); @@ -159,9 +158,11 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + + /* Check for when we must change this password, taking the + * userAccountControl flags into account */ must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, domain_dn, msg); - last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0); workstation_list = samdb_result_string(msg, "userWorkstations", NULL); @@ -187,14 +188,14 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, } /* check for immediate expiry "must change at next logon" */ - if (!(acct_flags & ACB_PWNOEXP) && (must_change_time == 0 && last_set_time != 0)) { + if (must_change_time == 0) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", name_for_logs)); return NT_STATUS_PASSWORD_MUST_CHANGE; } - /* check for expired password (dynamicly gnerated in samdb_result_acct_flags) */ - if (acct_flags & ACB_PW_EXPIRED) { + /* check for expired password */ + if (must_change_time < now) { DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", name_for_logs)); DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c index c9c0285604..ba8841ceb0 100644 --- a/source4/dsdb/common/util.c +++ b/source4/dsdb/common/util.c @@ -469,8 +469,8 @@ NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb, } /* - construct the force_password_change field from the PwdLastSet attribute and the - domain password settings + construct the force_password_change field from the PwdLastSet + attribute, the userAccountControl and the domain password settings */ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, @@ -478,10 +478,12 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, struct ldb_message *msg) { uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0); - uint32_t user_flags = samdb_result_uint64(msg, "userAccountControl", 0); + uint32_t userAccountcontrol = samdb_result_uint64(msg, "userAccountControl", 0); int64_t maxPwdAge; - if (user_flags & UF_DONT_EXPIRE_PASSWD) { + /* Machine accounts don't expire, and there is a flag for 'no expiry' */ + if (!(userAccountControl & UF_NORMAL_ACCOUNT) + || (userAccountControl & UF_DONT_EXPIRE_PASSWD)) { return 0x7FFFFFFFFFFFFFFFULL; } @@ -607,24 +609,17 @@ uint32_t samdb_result_acct_flags(struct ldb_context *sam_ctx, TALLOC_CTX *mem_ct { uint32_t userAccountControl = ldb_msg_find_attr_as_uint(msg, "userAccountControl", 0); uint32_t acct_flags = samdb_uf2acb(userAccountControl); - if ((userAccountControl & UF_NORMAL_ACCOUNT) && !(userAccountControl & UF_DONT_EXPIRE_PASSWD)) { - NTTIME must_change_time; - NTTIME pwdLastSet = samdb_result_nttime(msg, "pwdLastSet", 0); - if (pwdLastSet == 0) { - acct_flags |= ACB_PW_EXPIRED; - } else { - NTTIME now; - - must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, - domain_dn, msg); - - /* Test account expire time */ - unix_to_nt_time(&now, time(NULL)); - /* check for expired password */ - if ((must_change_time != 0) && (must_change_time < now)) { - acct_flags |= ACB_PW_EXPIRED; - } - } + NTTIME must_change_time; + NTTIME now; + + must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, + domain_dn, msg); + + /* Test account expire time */ + unix_to_nt_time(&now, time(NULL)); + /* check for expired password */ + if (must_change_time < now) { + acct_flags |= ACB_PW_EXPIRED; } return acct_flags; } diff --git a/source4/selftest/samba4_tests.sh b/source4/selftest/samba4_tests.sh index 32386e5b9e..bea4173555 100755 --- a/source4/selftest/samba4_tests.sh +++ b/source4/selftest/samba4_tests.sh @@ -81,6 +81,7 @@ if grep ENABLE_GNUTLS.1 include/config.h > /dev/null; then plantest "ldb.ldaps with options $options" dc $samba4srcdir/../testprogs/blackbox/test_ldb.sh ldaps \$SERVER_IP $options done fi +plantest "ldb.ldapi with options $options" dc $samba4srcdir/../testprogs/blackbox/test_ldb.sh ldapi \$PREFIX_ABS/dc/private/ldapi $options for t in LDAP-CLDAP LDAP-BASIC LDAP-SCHEMA LDAP-UPTODATEVECTOR do plansmbtorturetest "$t" dc "-U\$USERNAME%\$PASSWORD" //\$SERVER_IP/_none_ |