From 1fca1fd8d7b9e12c6d4a3c2ad2e69a27aa65a9e1 Mon Sep 17 00:00:00 2001
From: Jeremy Allison <jra@samba.org>
Date: Sat, 17 Jul 2004 01:37:04 +0000
Subject: r1539: If a account was locked out by an admin (and has a bad
 password count of zero) leave it locked out until an admin unlocks it (but
 log a message). Jeremy. (This used to be commit
 14bd2a9ffc30d55d9737b4819797db8c38b46c66)

---
 source3/passdb/passdb.c | 25 +++++++++++++++++++------
 1 file changed, 19 insertions(+), 6 deletions(-)

(limited to 'source3')

diff --git a/source3/passdb/passdb.c b/source3/passdb/passdb.c
index ea1ce80442..2f9742e17d 100644
--- a/source3/passdb/passdb.c
+++ b/source3/passdb/passdb.c
@@ -2249,7 +2249,9 @@ BOOL pdb_update_bad_password_count(SAM_ACCOUNT *sampass, BOOL *updated)
 	if (time(NULL) > (LastBadPassword + (time_t)resettime*60)){
 		pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
 		pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
-		if (updated) *updated = True;
+		if (updated) {
+			*updated = True;
+		}
 	}
 
 	return True;
@@ -2267,7 +2269,8 @@ BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
 	if (!sampass) return False;
  
 	if (!(pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK)) {
-		DEBUG(9, ("Account not autolocked, no check needed\n"));
+		DEBUG(9, ("pdb_update_autolock_flag: Account %s not autolocked, no check needed\n",
+			pdb_get_username(sampass)));
 		return True;
 	}
 
@@ -2278,20 +2281,30 @@ BOOL pdb_update_autolock_flag(SAM_ACCOUNT *sampass, BOOL *updated)
 
 	/* First, check if there is a duration to compare */
 	if ((duration == (uint32) -1)  || (duration == 0)) {
-		DEBUG(9, ("No reset duration, can't reset autolock\n"));
+		DEBUG(9, ("pdb_update_autolock_flag: No reset duration, can't reset autolock\n"));
 		return True;
 	}
 		      
 	LastBadPassword = pdb_get_bad_password_time(sampass);
-	DEBUG(7, ("LastBadPassword=%d, duration=%d, current time =%d.\n",
-		  (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
+	DEBUG(7, ("pdb_update_autolock_flag: Account %s, LastBadPassword=%d, duration=%d, current time =%d.\n",
+		  pdb_get_username(sampass), (uint32)LastBadPassword, duration*60, (uint32)time(NULL)));
+
+	if (LastBadPassword == (time_t)0) {
+		DEBUG(1,("pdb_update_autolock_flag: Account %s administratively locked out with no \
+bad password time. Leaving locked out.\n",
+			pdb_get_username(sampass) ));
+			return True;
+	}
+
 	if ((time(NULL) > (LastBadPassword + (time_t) duration * 60))) {
 		pdb_set_acct_ctrl(sampass,
 				  pdb_get_acct_ctrl(sampass) & ~ACB_AUTOLOCK,
 				  PDB_CHANGED);
 		pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
 		pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);
-		if (updated) *updated = True;
+		if (updated) {
+			*updated = True;
+		}
 	}
 	
 	return True;
-- 
cgit