summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--source4/auth/auth_sam.c29
-rw-r--r--source4/dsdb/samdb/samdb.c11
-rw-r--r--source4/kdc/hdb-ldb.c12
-rw-r--r--source4/rpc_server/samr/dcesrv_samr.c2
4 files changed, 30 insertions, 24 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index c28aaf2434..f1ea2a783c 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -172,8 +172,7 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx,
- domain_dn, msg,
- "pwdLastSet");
+ domain_dn, msg);
last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0);
workstation_list = samdb_result_string(msg, "userWorkstations", NULL);
@@ -423,10 +422,10 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
}
NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
- struct ldb_message *msg,
- struct ldb_message *msg_domain_ref,
- DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
- struct auth_serversupplied_info **_server_info)
+ struct ldb_message *msg,
+ struct ldb_message *msg_domain_ref,
+ DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
+ struct auth_serversupplied_info **_server_info)
{
struct auth_serversupplied_info *server_info;
struct ldb_message **group_msgs;
@@ -523,13 +522,17 @@ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_c
server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0);
- ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx));
-
- server_info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx,
- ncname, msg, "pwdLastSet");
- server_info->force_password_change = samdb_result_force_password_change(sam_ctx, mem_ctx,
- ncname, msg, "pwdLastSet");
-
+ ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", NULL);
+ if (!ncname) {
+ return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ }
+ server_info->allow_password_change
+ = samdb_result_allow_password_change(sam_ctx, mem_ctx,
+ ncname, msg, "pwdLastSet");
+ server_info->force_password_change
+ = samdb_result_force_password_change(sam_ctx, mem_ctx,
+ ncname, msg);
+
server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);
server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0);
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 3d5535602b..fe82b380c5 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -29,6 +29,7 @@
#include "system/filesys.h"
#include "db_wrap.h"
#include "dsdb/samdb/samdb.h"
+#include "ads.h"
/*
connect to the SAM database
@@ -487,12 +488,16 @@ NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
TALLOC_CTX *mem_ctx,
const struct ldb_dn *domain_dn,
- struct ldb_message *msg,
- const char *attr)
+ struct ldb_message *msg)
{
- uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
+ uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0);
+ uint32_t user_flags = samdb_result_uint64(msg, "userAccountControl", 0);
int64_t maxPwdAge;
+ if (user_flags & UF_DONT_EXPIRE_PASSWD) {
+ return 0x7FFFFFFFFFFFFFFFULL;
+ }
+
if (attr_time == 0) {
return 0;
}
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 0306bf3106..5766a9acfa 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -355,21 +355,19 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
*entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry);
}
- if (!(userAccountControl & UF_DONT_EXPIRE_PASSWD) &&
- (ent_type != HDB_LDB_ENT_TYPE_KRBTGT)) {
+ if (ent_type != HDB_LDB_ENT_TYPE_KRBTGT) {
NTTIME must_change_time
= samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx,
- domain_dn, msg,
- "pwdLastSet");
- if (must_change_time != 0) {
+ domain_dn, msg);
+ if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
+ entry_ex->entry.pw_end = NULL;
+ } else {
entry_ex->entry.pw_end = malloc(sizeof(*entry_ex->entry.pw_end));
if (entry_ex->entry.pw_end == NULL) {
ret = ENOMEM;
goto out;
}
*entry_ex->entry.pw_end = nt_time_to_unix(must_change_time);
- } else {
- entry_ex->entry.pw_end = NULL;
}
} else {
entry_ex->entry.pw_end = NULL;
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 6c109ff0c2..e8828a912f 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -1557,7 +1557,7 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
a_state->domain_state->domain_dn, msg, attr);
#define QUERY_FPASSC(msg, field, attr) \
r->out.info->field = samdb_result_force_password_change(a_state->sam_ctx, mem_ctx, \
- a_state->domain_state->domain_dn, msg, attr);
+ a_state->domain_state->domain_dn, msg);
#define QUERY_LHOURS(msg, field, attr) \
r->out.info->field = samdb_result_logon_hours(mem_ctx, msg, attr);
#define QUERY_AFLAGS(msg, field, attr) \