From c2e15f390d11d09bd9ae1f7be800967c818ac720 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 15 Nov 2011 13:30:22 -0800 Subject: [PATCH] Fix bug #8561 - Password change settings not fully observed. --- source3/include/proto.h | 1 + source3/passdb/pdb_get_set.c | 40 +++++++++++++++++++++++++++++++++---- source3/rpc_server/srv_samr_nt.c | 2 +- 3 files changed, 37 insertions(+), 6 deletions(-) diff --git a/source3/include/proto.h b/source3/include/proto.h index 2e04ca1..579fc1b 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -4492,6 +4492,7 @@ bool pdb_set_group_sid_from_rid (struct samu *sampass, uint32 grid, enum pdb_val /* The following definitions come from passdb/pdb_get_set.c */ +bool pdb_is_password_change_time_max(time_t test_time); uint32 pdb_get_acct_ctrl(const struct samu *sampass); time_t pdb_get_logon_time(const struct samu *sampass); time_t pdb_get_logoff_time(const struct samu *sampass); diff --git a/source3/passdb/pdb_get_set.c b/source3/passdb/pdb_get_set.c index 6126517..678dc61 100644 --- a/source3/passdb/pdb_get_set.c +++ b/source3/passdb/pdb_get_set.c @@ -37,6 +37,36 @@ #define PDB_NOT_QUITE_NULL "" /********************************************************************* + Test if a change time is a max value. Copes with old and new values + of max. + ********************************************************************/ + +bool pdb_is_password_change_time_max(time_t test_time) +{ + if (test_time == get_time_t_max()) { + return true; + } +#if (defined(SIZEOF_TIME_T) && (SIZEOF_TIME_T == 8)) + if (test_time == 0x7FFFFFFFFFFFFFFFLL) { + return true; + } +#endif + if (test_time == 0x7FFFFFFF) { + return true; + } + return false; +} + +/********************************************************************* + Return an unchanging version of max password change time - 0x7FFFFFFF. + ********************************************************************/ + +time_t pdb_password_change_time_max(void) +{ + return 0x7FFFFFFF; +} + +/********************************************************************* Collection of get...() functions for struct samu. ********************************************************************/ @@ -84,7 +114,7 @@ time_t pdb_get_pass_can_change_time(const struct samu *sampass) we're trying to update this real value from the sampass to indicate that the user cannot change their password. jmcd */ - if (sampass->pass_can_change_time == get_time_t_max() && + if (pdb_is_password_change_time_max(sampass->pass_can_change_time) && pdb_get_init_flags(sampass, PDB_CANCHANGETIME) == PDB_CHANGED) return sampass->pass_can_change_time; @@ -110,18 +140,18 @@ time_t pdb_get_pass_must_change_time(const struct samu *sampass) return (time_t) 0; if (sampass->acct_ctrl & ACB_PWNOEXP) - return get_time_t_max(); + return pdb_password_change_time_max(); if (!pdb_get_account_policy(PDB_POLICY_MAX_PASSWORD_AGE, &expire) || expire == (uint32)-1 || expire == 0) - return get_time_t_max(); + return pdb_password_change_time_max(); return sampass->pass_last_set_time + expire; } bool pdb_get_pass_can_change(const struct samu *sampass) { - if (sampass->pass_can_change_time == get_time_t_max() && + if (pdb_is_password_change_time_max(sampass->pass_can_change_time) && sampass->pass_last_set_time != 0) return False; return True; @@ -1001,7 +1031,7 @@ bool pdb_set_backend_private_data(struct samu *sampass, void *private_data, bool pdb_set_pass_can_change(struct samu *sampass, bool canchange) { return pdb_set_pass_can_change_time(sampass, - canchange ? 0 : get_time_t_max(), + canchange ? 0 : pdb_password_change_time_max(), PDB_CHANGED); } diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c index e98e4aa..487fb3d 100644 --- a/source3/rpc_server/srv_samr_nt.c +++ b/source3/rpc_server/srv_samr_nt.c @@ -2877,7 +2877,7 @@ static NTSTATUS get_user_info_21(TALLOC_CTX *mem_ctx, unix_to_nt_time(&r->allow_password_change, pdb_get_pass_can_change_time(pw)); must_change_time = pdb_get_pass_must_change_time(pw); - if (must_change_time == get_time_t_max()) { + if (pdb_is_password_change_time_max(must_change_time)) { unix_to_nt_time_abs(&force_password_change, must_change_time); } else { unix_to_nt_time(&force_password_change, must_change_time); -- 1.7.3.1