1 files changed, 33 insertions, 35 deletions
diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 7aac8f5856..62898f3dac 100644
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -74,15 +74,34 @@ time_t pdb_get_pass_can_change_time(const struct samu *sampass)
 {
 	uint32 allow;
 
+	/* if the last set time is zero, it means the user cannot 
+	   change their password, and this time must be zero.   jmcd 
+	*/
 	if (sampass->pass_last_set_time == 0)
 		return (time_t) 0;
 	
+	/* if the time is max, and the field has been changed,
+	   we're trying to update this real value from the sampass
+	   to indicate that the user cannot change their password.  jmcd
+	*/
+	if (sampass->pass_can_change_time == get_time_t_max() &&
+	    pdb_get_init_flags(sampass, PDB_CANCHANGETIME) == PDB_CHANGED)
+		return sampass->pass_can_change_time;
+
 	if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &allow))
 		allow = 0;
 
+	/* in normal cases, just calculate it from policy */
 	return sampass->pass_last_set_time + allow;
 }
 
+/* we need this for loading from the backend, so that we don't overwrite
+   non-changed max times, otherwise the pass_can_change checking won't work */
+time_t pdb_get_pass_can_change_time_noncalc(const struct samu *sampass)
+{
+	return sampass->pass_can_change_time;
+}
+
 time_t pdb_get_pass_must_change_time(const struct samu *sampass)
 {
 	uint32 expire;
@@ -100,6 +119,14 @@ time_t pdb_get_pass_must_change_time(const struct samu *sampass)
 	return sampass->pass_last_set_time + expire;
 }
 
+BOOL pdb_get_pass_can_change(const struct samu *sampass)
+{
+	if (sampass->pass_can_change_time == get_time_t_max() &&
+	    sampass->pass_last_set_time != 0)
+		return False;
+	return True;
+}
+
 uint16 pdb_get_logon_divs(const struct samu *sampass)
 {
 	return sampass->logon_divs;
@@ -944,43 +971,14 @@ BOOL pdb_set_backend_private_data(struct samu *sampass, void *private_data,
 
 /* Helpful interfaces to the above */
 
-/*********************************************************************
- Sets the last changed times and must change times for a normal
- password change.
- ********************************************************************/
-
-BOOL pdb_set_pass_changed_now(struct samu *sampass)
+BOOL pdb_set_pass_can_change(struct samu *sampass, BOOL canchange)
 {
-	uint32 expire;
-	uint32 min_age;
-
-	if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
-		return False;
-
-	if (!pdb_get_account_policy(AP_MAX_PASSWORD_AGE, &expire) 
-	    || (expire==(uint32)-1) || (expire == 0)) {
-		if (!pdb_set_pass_must_change_time (sampass, get_time_t_max(), PDB_CHANGED))
-			return False;
-	} else {
-		if (!pdb_set_pass_must_change_time (sampass, 
-						    pdb_get_pass_last_set_time(sampass)
-						    + expire, PDB_CHANGED))
-			return False;
-	}
-	
-	if (!pdb_get_account_policy(AP_MIN_PASSWORD_AGE, &min_age) 
-	    || (min_age==(uint32)-1)) {
-		if (!pdb_set_pass_can_change_time (sampass, 0, PDB_CHANGED))
-			return False;
-	} else {
-		if (!pdb_set_pass_can_change_time (sampass, 
-						    pdb_get_pass_last_set_time(sampass)
-						    + min_age, PDB_CHANGED))
-			return False;
-	}
-	return True;
+	return pdb_set_pass_can_change_time(sampass, 
+				     canchange ? 0 : get_time_t_max(),
+				     PDB_CHANGED);
 }
 
+
 /*********************************************************************
  Set the user's PLAINTEXT password.  Used as an interface to the above.
  Also sets the last change time to NOW.
@@ -1016,7 +1014,7 @@ BOOL pdb_set_plaintext_passwd(struct samu *sampass, const char *plaintext)
 	if (!pdb_set_plaintext_pw_only (sampass, plaintext, PDB_CHANGED)) 
 		return False;
 
-	if (!pdb_set_pass_changed_now (sampass))
+	if (!pdb_set_pass_last_set_time (sampass, time(NULL), PDB_CHANGED))
 		return False;
 
 	/* Store the password history. */