Don't reset password last set time just because the expired flag

is set to 0. If the account wasn't expired but autolocked, using "net user /dom <username> /active:y" would clear this, incorrectly setting the current time as the new "password last set" time. (This used to be commit 0f292d7)
kristjanvalur · Jun 9, 2008 · 13b2f59 · 13b2f59
1 parent b76f967
commit 13b2f59
Showing 1 changed file with 9 additions and 1 deletion.
diff --git a/source3/rpc_server/srv_samr_util.c b/source3/rpc_server/srv_samr_util.c
@@ -339,7 +339,15 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
 		if (from->password_expired == PASS_MUST_CHANGE_AT_NEXT_LOGON) {
 			pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
 		} else {
-			pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED);
+			/* A subtlety here: some windows commands will
+			   clear the expired flag even though it's not
+			   set, and we don't want to reset the time
+			   in these caess.  "net user /dom <user> /active:y"
+			   for example, to clear an autolocked acct.
+			   We must check to see if it's expired first. jmcd */
+			stored_time = pdb_get_pass_last_set_time(to);
+			if (stored_time == 0)
+				pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED);
 		}
 	}
 }