From 9318e00a1fab1e6eda6495c44b69d95a980b1e5e Mon Sep 17 00:00:00 2001
From: Amitay Isaacs <amitay@gmail.com>
Date: Fri, 18 Nov 2011 10:34:44 +1100
Subject: dsdb: Fix the password expiry calculation

As per Section 3.1.1.4.5.26 [MS-ADTS.pdf], password is expired if

  pwdLastSet = null, or
  pwdLastSet = 0, or
  (maxPwdAge != 0x8000000000000000 and (ST - pwdLastSet) > maxPwdAge)
---
 source4/dsdb/common/util.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/dsdb/common/util.c b/source4/dsdb/common/util.c
index cae6bd45b3..826a1e4592 100644
--- a/source4/dsdb/common/util.c
+++ b/source4/dsdb/common/util.c
@@ -505,7 +505,7 @@ NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb,
 
 	maxPwdAge = samdb_search_int64(sam_ldb, mem_ctx, 0, domain_dn,
 				       "maxPwdAge", NULL);
-	if (maxPwdAge == 0) {
+	if (maxPwdAge == 0 || maxPwdAge == -0x8000000000000000ULL) {
 		return 0x7FFFFFFFFFFFFFFFULL;
 	} else {
 		attr_time -= maxPwdAge;
-- 
cgit