s3-samr: never allow to alter pwdlastset directly.

[samba.git] / source / rpc_server / srv_samr_nt.c

diff --git a/source/rpc_server/srv_samr_nt.c b/source/rpc_server/srv_samr_nt.c
index c924af6a63d14e093a8de50e64733b4063df0642..fd0952bba1975136bd7852fff7e52f7a385e2bb9 100644 (file)
--- a/source/rpc_server/srv_samr_nt.c
+++ b/source/rpc_server/srv_samr_nt.c
@@ -3860,6 +3860,11 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+               TALLOC_FREE(pwd);
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        /* we need to separately check for an account rename first */
 
        if (id21->account_name.string &&
@@ -3943,6 +3948,12 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+               TALLOC_FREE(pwd);
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
+
        DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
                  pdb_get_username(pwd)));
 
@@ -4121,6 +4132,11 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
                return NT_STATUS_INVALID_PARAMETER;
        }
 
+       if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+               TALLOC_FREE(pwd);
+               return NT_STATUS_ACCESS_DENIED;
+       }
+
        copy_id25_to_sam_passwd(pwd, id25);
 
        /* write the change out */