From 309a8fd7c62e7008b1a4c4c77c3a9ea35ed4bb07 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Mon, 23 May 2011 17:14:47 -0700
Subject: Fix bug #7054 - X account flag does not work when pwdlastset is 0.

Don't allow pass_last_set_time to be set to zero (which means
"user must change password on next logon") if user object doesn't
allow password change.

Don't automatically allow user object password change if
"user must change password on next logon" is set.

Jim please check.

Jeremy.
---
 source3/rpc_server/samr/srv_samr_util.c | 11 ++++++++++-
 1 file changed, 10 insertions(+), 1 deletion(-)

(limited to 'source3/rpc_server/samr')

diff --git a/source3/rpc_server/samr/srv_samr_util.c b/source3/rpc_server/samr/srv_samr_util.c
index 29123321f8..d052846b2e 100644
--- a/source3/rpc_server/samr/srv_samr_util.c
+++ b/source3/rpc_server/samr/srv_samr_util.c
@@ -612,7 +612,16 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
 		DEBUG(10,("%s SAMR_FIELD_EXPIRED_FLAG: %02X\n", l,
 			from->password_expired));
 		if (from->password_expired != 0) {
-			pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
+			/* Only allow the set_time to zero (which means
+			   "User Must Change Password on Next Login"
+			   if the user object allows password change. */
+			if (pdb_get_pass_can_change(to)) {
+				pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
+			} else {
+				DEBUG(10,("%s Disallowing set of 'User Must "
+					"Change Password on Next Login' as "
+					"user object disallows this.\n", l));
+			}
 		} else {
 			/* A subtlety here: some windows commands will
 			   clear the expired flag even though it's not
-- 
cgit