diff options
Diffstat (limited to 'source4/auth/sam.c')
-rw-r--r-- | source4/auth/sam.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/source4/auth/sam.c b/source4/auth/sam.c index abcb72f292..9a8045f62d 100644 --- a/source4/auth/sam.c +++ b/source4/auth/sam.c @@ -149,7 +149,6 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, const char *workstation_list; NTTIME acct_expiry; NTTIME must_change_time; - NTTIME last_set_time; struct ldb_dn *domain_dn = samdb_result_dn(sam_ctx, mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx, sam_ctx, NULL)); @@ -159,9 +158,11 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, acct_flags = samdb_result_acct_flags(sam_ctx, mem_ctx, msg, domain_dn); acct_expiry = samdb_result_nttime(msg, "accountExpires", 0); + + /* Check for when we must change this password, taking the + * userAccountControl flags into account */ must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, domain_dn, msg); - last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0); workstation_list = samdb_result_string(msg, "userWorkstations", NULL); @@ -187,14 +188,14 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx, } /* check for immediate expiry "must change at next logon" */ - if (!(acct_flags & ACB_PWNOEXP) && (must_change_time == 0 && last_set_time != 0)) { + if (must_change_time == 0) { DEBUG(1,("sam_account_ok: Account for user '%s' password must change!.\n", name_for_logs)); return NT_STATUS_PASSWORD_MUST_CHANGE; } - /* check for expired password (dynamicly gnerated in samdb_result_acct_flags) */ - if (acct_flags & ACB_PW_EXPIRED) { + /* check for expired password */ + if (must_change_time < now) { DEBUG(1,("sam_account_ok: Account for user '%s' password expired!.\n", name_for_logs)); DEBUG(1,("sam_account_ok: Password expired at '%s' unix time.\n", |