Fix bug #7054 - X account flag does not work when pwdlastset is 0.

Don't allow pass_last_set_time to be set to zero (which means
"user must change password on next logon") if user object doesn't
allow password change.

Don't automatically allow user object password change if
"user must change password on next logon" is set.

Jim please check.

Jeremy.

diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c
index 6c1a2ab23d7680b4c4b456090a6a527b94156e4c..782c08fc1c36caccbffb4e0cfa956744ff86435b 100644 (file)
--- a/source3/passdb/pdb_get_set.c
+++ b/source3/passdb/pdb_get_set.c
@@ -123,8 +123,7 @@ time_t pdb_get_pass_must_change_time(const struct samu *sampass)
 
 bool pdb_get_pass_can_change(const struct samu *sampass)
 {
-       if (sampass->pass_can_change_time == get_time_t_max() &&
-           sampass->pass_last_set_time != 0)
+       if (sampass->pass_can_change_time == get_time_t_max())
                return False;
        return True;
 }

diff --git a/source3/rpc_server/samr/srv_samr_util.c b/source3/rpc_server/samr/srv_samr_util.c
index 29123321f86f255b8711470cb6d9df8c7148a694..d052846b2e5b756488f207affae3ba678e2263dd 100644 (file)
--- a/source3/rpc_server/samr/srv_samr_util.c
+++ b/source3/rpc_server/samr/srv_samr_util.c
@@ -612,7 +612,16 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
                DEBUG(10,("%s SAMR_FIELD_EXPIRED_FLAG: %02X\n", l,
                        from->password_expired));
                if (from->password_expired != 0) {
-                       pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
+                       /* Only allow the set_time to zero (which means
+                          "User Must Change Password on Next Login"
+                          if the user object allows password change. */
+                       if (pdb_get_pass_can_change(to)) {
+                               pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
+                       } else {
+                               DEBUG(10,("%s Disallowing set of 'User Must "
+                                       "Change Password on Next Login' as "
+                                       "user object disallows this.\n", l));
+                       }
                } else {
                        /* A subtlety here: some windows commands will
                           clear the expired flag even though it's not