r13375: Match XP behaviour: Don't force 'Administrator' to change an expired

password on logon. (this might be true for all domain admins as well).

Guenther
(This used to be commit 24c6b9fecb521380008cb44e6d987a6f495027dc)

diff --git a/source3/nsswitch/pam_winbind.c b/source3/nsswitch/pam_winbind.c
index 57e05dc4bb035d9c28b415e143e224e2a9012a95..0141c3fafa677a92d761bb9bda03dd3a6369b1bb 100644 (file)
--- a/source3/nsswitch/pam_winbind.c
+++ b/source3/nsswitch/pam_winbind.c
@@ -419,7 +419,8 @@ static int winbind_auth_request(pam_handle_t * pamh,
 
        /* handle the case where the auth was ok, but the password must expire right now */
        /* good catch from Ralf Haferkamp: an expiry of "never" is translated to -1 */
-       if ((response.data.auth.policy.expire > 0) && 
+       if ((response.data.auth.info3.user_rid != DOMAIN_USER_RID_ADMIN ) &&
+           (response.data.auth.policy.expire > 0) && 
            (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire < time(NULL))) {
 
                ret = PAM_AUTHTOK_EXPIRED;
@@ -435,7 +436,8 @@ static int winbind_auth_request(pam_handle_t * pamh,
        }
 
        /* warn a user if the password is about to expire soon */
-       if ((response.data.auth.policy.expire) && 
+       if ((response.data.auth.info3.user_rid != DOMAIN_USER_RID_ADMIN ) &&
+           (response.data.auth.policy.expire) && 
            (response.data.auth.info3.pass_last_set_time + response.data.auth.policy.expire > time(NULL) ) ) {
 
                int days = response.data.auth.policy.expire / SECONDS_PER_DAY;

diff --git a/source3/nsswitch/winbindd_nss.h b/source3/nsswitch/winbindd_nss.h
index 033e51d794396f5325ff8e89f1c56538b035f316..b01053d63c1cb3339f1159071a51474fd54f24da 100644 (file)
--- a/source3/nsswitch/winbindd_nss.h
+++ b/source3/nsswitch/winbindd_nss.h
@@ -338,8 +338,8 @@ struct winbindd_response {
                                time_t pass_must_change_time;
                                uint16 logon_count;
                                uint16 bad_pw_count;
-                               fstring user_sid;
-                               fstring group_sid;
+                               uint32 user_rid;
+                               uint32 group_rid;
                                fstring dom_sid;
                                uint32 num_groups;
                                uint32 user_flgs;

diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c
index ab20102f79f6e6219455f4e1fb892c56ee618cd3..fc8d0885fc99f31b49de89d4593f3020505667d5 100644 (file)
--- a/source3/nsswitch/winbindd_pam.c
+++ b/source3/nsswitch/winbindd_pam.c
@@ -32,7 +32,6 @@ static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
                                    struct winbindd_cli_state *state, 
                                    NET_USER_INFO_3 *info3) 
 {
-       DOM_SID user_sid, group_sid;
        fstring str_sid;
 
        state->response.data.auth.info3.logon_time = 
@@ -51,18 +50,8 @@ static NTSTATUS append_info3_as_txt(TALLOC_CTX *mem_ctx,
        state->response.data.auth.info3.logon_count = info3->logon_count;
        state->response.data.auth.info3.bad_pw_count = info3->bad_pw_count;
 
-       sid_copy(&user_sid, &(info3->dom_sid.sid));
-       sid_append_rid(&user_sid, info3->user_rid);
-
-       sid_to_string(str_sid, &user_sid);
-       fstrcpy(state->response.data.auth.info3.user_sid, str_sid);
-
-       sid_copy(&group_sid, &(info3->dom_sid.sid));
-       sid_append_rid(&group_sid, info3->group_rid);
-
-       sid_to_string(str_sid, &group_sid);
-       fstrcpy(state->response.data.auth.info3.group_sid, str_sid);
-
+       state->response.data.auth.info3.user_rid = info3->user_rid;
+       state->response.data.auth.info3.group_rid = info3->group_rid;
        sid_to_string(str_sid, &(info3->dom_sid.sid));
        fstrcpy(state->response.data.auth.info3.dom_sid, str_sid);