4 files changed, 30 insertions, 24 deletions
diff --git a/source4/auth/auth_sam.c b/source4/auth/auth_sam.c
index c28aaf2434..f1ea2a783c 100644
--- a/source4/auth/auth_sam.c
+++ b/source4/auth/auth_sam.c
@@ -172,8 +172,7 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 	
 	acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
 	must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
-							      domain_dn, msg, 
-							      "pwdLastSet");
+							      domain_dn, msg);
 	last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0);
 
 	workstation_list = samdb_result_string(msg, "userWorkstations", NULL);
@@ -423,10 +422,10 @@ static NTSTATUS authsam_authenticate(struct auth_context *auth_context,
 }
 
 NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_ctx,
-					 struct ldb_message *msg,
-					 struct ldb_message *msg_domain_ref,
-					 DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
-					 struct auth_serversupplied_info **_server_info)
+				  struct ldb_message *msg,
+				  struct ldb_message *msg_domain_ref,
+				  DATA_BLOB user_sess_key, DATA_BLOB lm_sess_key,
+				  struct auth_serversupplied_info **_server_info)
 {
 	struct auth_serversupplied_info *server_info;
 	struct ldb_message **group_msgs;
@@ -523,13 +522,17 @@ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_c
 	server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
 	server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0);
 
-	ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx));
-
-	server_info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx, 
-							ncname, msg, "pwdLastSet");
-	server_info->force_password_change = samdb_result_force_password_change(sam_ctx, mem_ctx, 
-							ncname, msg, "pwdLastSet");
-
+	ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", NULL);
+	if (!ncname) {
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	server_info->allow_password_change
+		= samdb_result_allow_password_change(sam_ctx, mem_ctx, 
+						     ncname, msg, "pwdLastSet");
+	server_info->force_password_change
+		= samdb_result_force_password_change(sam_ctx, mem_ctx, 
+						     ncname, msg);
+	
 	server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);
 	server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0);
 
diff --git a/source4/dsdb/samdb/samdb.c b/source4/dsdb/samdb/samdb.c
index 3d5535602b..fe82b380c5 100644
--- a/source4/dsdb/samdb/samdb.c
+++ b/source4/dsdb/samdb/samdb.c
@@ -29,6 +29,7 @@
 #include "system/filesys.h"
 #include "db_wrap.h"
 #include "dsdb/samdb/samdb.h"
+#include "ads.h"
 
 /*
   connect to the SAM database
@@ -487,12 +488,16 @@ NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, 
 					  TALLOC_CTX *mem_ctx, 
 					  const struct ldb_dn *domain_dn, 
-					  struct ldb_message *msg, 
-					  const char *attr)
+					  struct ldb_message *msg)
 {
-	uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
+	uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0);
+	uint32_t user_flags = samdb_result_uint64(msg, "userAccountControl", 0);
 	int64_t maxPwdAge;
 
+	if (user_flags & UF_DONT_EXPIRE_PASSWD) {
+		return 0x7FFFFFFFFFFFFFFFULL;
+	}
+
 	if (attr_time == 0) {
 		return 0;
 	}
diff --git a/source4/kdc/hdb-ldb.c b/source4/kdc/hdb-ldb.c
index 0306bf3106..5766a9acfa 100644
--- a/source4/kdc/hdb-ldb.c
+++ b/source4/kdc/hdb-ldb.c
@@ -355,21 +355,19 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
 		*entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry);
 	}
 
-	if (!(userAccountControl & UF_DONT_EXPIRE_PASSWD) &&
-	    (ent_type != HDB_LDB_ENT_TYPE_KRBTGT)) {
+	if (ent_type != HDB_LDB_ENT_TYPE_KRBTGT) {
 		NTTIME must_change_time
 			= samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx, 
-							     domain_dn, msg, 
-							     "pwdLastSet");
-		if (must_change_time != 0) {
+							     domain_dn, msg);
+		if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
+			entry_ex->entry.pw_end = NULL;
+		} else {
 			entry_ex->entry.pw_end = malloc(sizeof(*entry_ex->entry.pw_end));
 			if (entry_ex->entry.pw_end == NULL) {
 				ret = ENOMEM;
 				goto out;
 			}
 			*entry_ex->entry.pw_end = nt_time_to_unix(must_change_time);
-		} else {
-			entry_ex->entry.pw_end = NULL;
 		}
 	} else {
 		entry_ex->entry.pw_end = NULL;
diff --git a/source4/rpc_server/samr/dcesrv_samr.c b/source4/rpc_server/samr/dcesrv_samr.c
index 6c109ff0c2..e8828a912f 100644
--- a/source4/rpc_server/samr/dcesrv_samr.c
+++ b/source4/rpc_server/samr/dcesrv_samr.c
@@ -1557,7 +1557,7 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
 							   a_state->domain_state->domain_dn, msg, attr);
 #define QUERY_FPASSC(msg, field, attr) \
 	r->out.info->field = samdb_result_force_password_change(a_state->sam_ctx, mem_ctx, \
-							   a_state->domain_state->domain_dn, msg, attr);
+							   a_state->domain_state->domain_dn, msg);
 #define QUERY_LHOURS(msg, field, attr) \
 	r->out.info->field = samdb_result_logon_hours(mem_ctx, msg, attr);
 #define QUERY_AFLAGS(msg, field, attr) \