diff options
-rw-r--r-- | source4/auth/auth_sam.c | 29 | ||||
-rw-r--r-- | source4/dsdb/samdb/samdb.c | 11 | ||||
-rw-r--r-- | source4/kdc/hdb-ldb.c | 12 | ||||
-rw-r--r-- | source4/rpc_server/samr/dcesrv_samr.c | 2 |
4 files changed, 30 insertions, 24 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c index c28aaf2434..f1ea2a783c 100644 --- a/source4/auth/auth_sam.c +++ b/source4/auth/auth_sam.c @@ -172,8 +172,7 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, - domain_dn, msg, - "pwdLastSet"); + domain_dn, msg); last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0); workstation_list = samdb_result_string(msg, "userWorkstations", NULL); @@ -423,10 +422,10 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context, } NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx, - struct ldb_message *msg, - struct ldb_message *msg_domain_ref, - DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, - struct auth_serversupplied_info **_server_info) + struct ldb_message *msg, + struct ldb_message *msg_domain_ref, + DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key, + struct auth_serversupplied_info **_server_info) { struct auth_serversupplied_info *server_info; struct ldb_message **group_msgs; @@ -523,13 +522,17 @@ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_c server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0); - ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx)); - - server_info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx, - ncname, msg, "pwdLastSet"); - server_info->force_password_change = samdb_result_force_password_change(sam_ctx, mem_ctx, - ncname, msg, "pwdLastSet"); - + ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", NULL); + if (!ncname) { + return NT_STATUS_INTERNAL_DB_CORRUPTION; + } + server_info->allow_password_change + = samdb_result_allow_password_change(sam_ctx, mem_ctx, + ncname, msg, "pwdLastSet"); + server_info->force_password_change + = samdb_result_force_password_change(sam_ctx, mem_ctx, + ncname, msg); + server_info->logon_count = samdb_result_uint(msg, "logonCount", 0); server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0); diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c index 3d5535602b..fe82b380c5 100644 --- a/source4/dsdb/samdb/samdb.c +++ b/source4/dsdb/samdb/samdb.c @@ -29,6 +29,7 @@ #include "system/filesys.h" #include "db_wrap.h" #include "dsdb/samdb/samdb.h" +#include "ads.h" /* connect to the SAM database @@ -487,12 +488,16 @@ NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb, NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, TALLOC_CTX *mem_ctx, const struct ldb_dn *domain_dn, - struct ldb_message *msg, - const char *attr) + struct ldb_message *msg) { - uint64_t attr_time = samdb_result_uint64(msg, attr, 0); + uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0); + uint32_t user_flags = samdb_result_uint64(msg, "userAccountControl", 0); int64_t maxPwdAge; + if (user_flags & UF_DONT_EXPIRE_PASSWD) { + return 0x7FFFFFFFFFFFFFFFULL; + } + if (attr_time == 0) { return 0; } diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c index 0306bf3106..5766a9acfa 100644 --- a/source4/kdc/hdb-ldb.c +++ b/source4/kdc/hdb-ldb.c @@ -355,21 +355,19 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db, *entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry); } - if (!(userAccountControl & UF_DONT_EXPIRE_PASSWD) && - (ent_type != HDB_LDB_ENT_TYPE_KRBTGT)) { + if (ent_type != HDB_LDB_ENT_TYPE_KRBTGT) { NTTIME must_change_time = samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx, - domain_dn, msg, - "pwdLastSet"); - if (must_change_time != 0) { + domain_dn, msg); + if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) { + entry_ex->entry.pw_end = NULL; + } else { entry_ex->entry.pw_end = malloc(sizeof(*entry_ex->entry.pw_end)); if (entry_ex->entry.pw_end == NULL) { ret = ENOMEM; goto out; } *entry_ex->entry.pw_end = nt_time_to_unix(must_change_time); - } else { - entry_ex->entry.pw_end = NULL; } } else { entry_ex->entry.pw_end = NULL; diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c index 6c109ff0c2..e8828a912f 100644 --- a/source4/rpc_server/samr/dcesrv_samr.c +++ b/source4/rpc_server/samr/dcesrv_samr.c @@ -1557,7 +1557,7 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m a_state->domain_state->domain_dn, msg, attr); #define QUERY_FPASSC(msg, field, attr) \ r->out.info->field = samdb_result_force_password_change(a_state->sam_ctx, mem_ctx, \ - a_state->domain_state->domain_dn, msg, attr); + a_state->domain_state->domain_dn, msg); #define QUERY_LHOURS(msg, field, attr) \ r->out.info->field = samdb_result_logon_hours(mem_ctx, msg, attr); #define QUERY_AFLAGS(msg, field, attr) \ |