s3:auth: fix account unlock regression introduced with fix for bug #4347

By an oversight, the patchset for #4347 made the unlocking of a locked
account after the lockout duration ineffective.
Thanks to Björn for finding this!

Michael
(cherry picked from commit 5eb9b66de0fd0adc59339a944f02f5fe25868568)

diff --git a/source3/auth/auth_sam.c b/source3/auth/auth_sam.c
index ef0cd97c52729804f7a22ca8ede6dbdb11e7213b..bd99b3ac75f2f3af7ad524aac99d665ab484609d 100644 (file)
--- a/source3/auth/auth_sam.c
+++ b/source3/auth/auth_sam.c
@@ -369,7 +369,6 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
        DATA_BLOB user_sess_key = data_blob_null;
        DATA_BLOB lm_sess_key = data_blob_null;
        bool updated_autolock = False, updated_badpw = False;
-       uint32_t acct_ctrl;
        const char *username;
        const uint8_t *nt_pw;
        const uint8_t *lm_pw;
@@ -399,22 +398,21 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
                return NT_STATUS_NO_SUCH_USER;
        }
 
-       acct_ctrl = pdb_get_acct_ctrl(sampass);
        username = pdb_get_username(sampass);
        nt_pw = pdb_get_nt_passwd(sampass);
        lm_pw = pdb_get_lanman_passwd(sampass);
 
        /* see if autolock flag needs to be updated */
-       if (acct_ctrl & ACB_NORMAL)
+       if (pdb_get_acct_ctrl(sampass) & ACB_NORMAL)
                pdb_update_autolock_flag(sampass, &updated_autolock);
        /* Quit if the account was locked out. */
-       if (acct_ctrl & ACB_AUTOLOCK) {
+       if (pdb_get_acct_ctrl(sampass) & ACB_AUTOLOCK) {
                DEBUG(3,("check_sam_security: Account for user %s was locked out.\n", username));
                return NT_STATUS_ACCOUNT_LOCKED_OUT;
        }
 
        nt_status = sam_password_ok(auth_context, mem_ctx,
-                                   username, acct_ctrl, lm_pw, nt_pw,
+                                   username, pdb_get_acct_ctrl(sampass), lm_pw, nt_pw,
                                    user_info, &user_sess_key, &lm_sess_key);
 
        /* Notify passdb backend of login success/failure. If not 
@@ -426,7 +424,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
                bool increment_bad_pw_count = false;
 
                if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD) && 
-                   acct_ctrl & ACB_NORMAL &&
+                   pdb_get_acct_ctrl(sampass) & ACB_NORMAL &&
                    NT_STATUS_IS_OK(update_login_attempts_status)) 
                {
                        increment_bad_pw_count =
@@ -457,7 +455,7 @@ static NTSTATUS check_sam_security(const struct auth_context *auth_context,
                goto done;
        }
 
-       if ((acct_ctrl & ACB_NORMAL) &&
+       if ((pdb_get_acct_ctrl(sampass) & ACB_NORMAL) &&
            (pdb_get_bad_password_count(sampass) > 0)){
                pdb_set_bad_password_count(sampass, 0, PDB_CHANGED);
                pdb_set_bad_password_time(sampass, 0, PDB_CHANGED);