Don't reset password last set time just because the expired flag

is set to 0.  If the account wasn't expired but autolocked,
using "net user /dom <username> /active:y" would clear this,
incorrectly setting the current time as the new "password last set"
time.

diff --git a/source/rpc_server/srv_samr_util.c b/source/rpc_server/srv_samr_util.c
index 74daf46e849827d7bedbb37f19c1f082d3be7eb8..ef588aed1a38c8220a3a834995f22bc579bec919 100644 (file)
--- a/source/rpc_server/srv_samr_util.c
+++ b/source/rpc_server/srv_samr_util.c
@@ -339,7 +339,15 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
                if (from->password_expired == PASS_MUST_CHANGE_AT_NEXT_LOGON) {
                        pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
                } else {
-                       pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED);
+                       /* A subtlety here: some windows commands will
+                          clear the expired flag even though it's not
+                          set, and we don't want to reset the time
+                          in these caess.  "net user /dom <user> /active:y"
+                          for example, to clear an autolocked acct.
+                          We must check to see if it's expired first. jmcd */
+                       stored_time = pdb_get_pass_last_set_time(to);
+                       if (stored_time == 0)
+                               pdb_set_pass_last_set_time(to, time(NULL),PDB_CHANGED);
                }
        }
 }