From 1d47053c41a80867a458d759e732bf350efbf92e Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 15 Nov 2011 15:42:50 -0800 Subject: [PATCH] Fix bug #8561 - Password change settings not fully observed. Based on commit 3ede4ffe969f806ba2363b62c09673c32a4ec296 in master (with a change to set the header prototype in the correct file). --- source3/passdb/pdb_get_set.c | 38 +++++++++++++++++++++++++++++--- source3/passdb/proto.h | 1 + source3/rpc_server/samr/srv_samr_nt.c | 2 +- 3 files changed, 36 insertions(+), 5 deletions(-) diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index 782c08f..a276c16 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -39,6 +39,36 @@ #define PDB_NOT_QUITE_NULL "" /********************************************************************* + Test if a change time is a max value. Copes with old and new values + of max. + ********************************************************************/ + +bool pdb_is_password_change_time_max(time_t test_time) +{ + if (test_time == get_time_t_max()) { + return true; + } +#if (defined(SIZEOF_TIME_T) && (SIZEOF_TIME_T == 8)) + if (test_time == 0x7FFFFFFFFFFFFFFFLL) { + return true; + } +#endif + if (test_time == 0x7FFFFFFF) { + return true; + } + return false; +} + +/********************************************************************* + Return an unchanging version of max password change time - 0x7FFFFFFF. + ********************************************************************/ + +time_t pdb_password_change_time_max(void) +{ + return 0x7FFFFFFF; +} + +/********************************************************************* Collection of get...() functions for struct samu. ********************************************************************/ @@ -86,7 +116,7 @@ time_t pdb_get_pass_can_change_time(const struct samu *sampass) we're trying to update this real value from the sampass to indicate that the user cannot change their password. jmcd */ - if (sampass->pass_can_change_time == get_time_t_max() && + if (pdb_is_password_change_time_max(sampass->pass_can_change_time) && IS_SAM_CHANGED(sampass, PDB_CANCHANGETIME)) return sampass->pass_can_change_time; @@ -112,7 +142,7 @@ time_t pdb_get_pass_must_change_time(const struct samu *sampass) return (time_t) 0; if (sampass->acct_ctrl & ACB_PWNOEXP) - return get_time_t_max(); + return pdb_password_change_time_max(); if (!pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &expire) || expire == (uint32_t)-1 || expire == 0) @@ -123,7 +153,7 @@ time_t pdb_get_pass_must_change_time(const struct samu *sampass) bool pdb_get_pass_can_change(const struct samu *sampass) { - if (sampass->pass_can_change_time == get_time_t_max()) + if (pdb_is_password_change_time_max(sampass->pass_can_change_time)) return False; return True; } @@ -958,7 +988,7 @@ bool pdb_set_backend_private_data(struct samu *sampass, void *private_data, bool pdb_set_pass_can_change(struct samu *sampass, bool canchange) { return pdb_set_pass_can_change_time(sampass, - canchange ? 0 : get_time_t_max(), + canchange ? 0 : pdb_password_change_time_max(), PDB_CHANGED); } diff --git a/source3/passdb/proto.h b/source3/passdb/proto.h index 8b95b72..0ac812f 100644 --- a/source3/passdb/proto.h +++ b/source3/passdb/proto.h @@ -112,6 +112,7 @@ bool pdb_set_group_sid_from_rid (struct samu *sampass, uint32_t grid, enum pdb_v /* The following definitions come from passdb/pdb_get_set.c */ +bool pdb_is_password_change_time_max(time_t test_time); uint32_t pdb_get_acct_ctrl(const struct samu *sampass); time_t pdb_get_logon_time(const struct samu *sampass); time_t pdb_get_logoff_time(const struct samu *sampass); diff --git a/source3/rpc_server/samr/srv_samr_nt.c b/source3/rpc_server/samr/srv_samr_nt.c index dad06f7..78ef1ba 100644 --- a/source3/rpc_server/samr/srv_samr_nt.c +++ b/source3/rpc_server/samr/srv_samr_nt.c @@ -2824,7 +2824,7 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw)); must_change_time = pdb_get_pass_must_change_time(pw); - if (must_change_time == get_time_t_max()) { + if (pdb_is_password_change_time_max(must_change_time)) { unix_to_nt_time_abs(&force_password_change, must_change_time); } else { unix_to_nt_time(&force_password_change, must_change_time); -- 1.7.3.1