From 2afc6df9b49a246129acdd7c8c24448c8cf3b6ef Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Wed, 17 Jun 2009 09:14:17 +1000
Subject: [PATCH] s4:setup Add an option to 'setpassword' to force password
 change at next login

---
 source4/scripting/python/samba/samdb.py     | 14 ++++++++++++--
 source4/setup/setpassword                   |  4 +++-
 source4/setup/tests/blackbox_setpassword.sh |  2 ++
 3 files changed, 17 insertions(+), 3 deletions(-)

diff --git a/source4/scripting/python/samba/samdb.py b/source4/scripting/python/samba/samdb.py
index 454a9d144cf..8ca4f65d6e6 100644
--- a/source4/scripting/python/samba/samdb.py
+++ b/source4/scripting/python/samba/samdb.py
@@ -152,7 +152,7 @@ userAccountControl: %u
             raise
         self.transaction_commit()
 
-    def setpassword(self, filter, password):
+    def setpassword(self, filter, password, must_change_at_next_login=False):
         """Set a password on a user record
         
         :param filter: LDAP filter to find the user (eg samccountname=name)
@@ -184,6 +184,15 @@ userPassword:: %s
 
             self.modify_ldif(setpw)
 
+            if must_change_at_next_login:
+                mod = """
+dn: %s
+changetype: modify
+replace: pwdLastSet
+pwdLastSet: 0
+""" % (user_dn)
+                self.modify_ldif(mod)
+
             #  modify the userAccountControl to remove the disabled bit
             self.enable_account(user_dn)
         except:
@@ -212,7 +221,7 @@ userPassword:: %s
         glue.dsdb_set_ntds_invocation_id(self, invocation_id)
 
     def setexpiry(self, user, expiry_seconds, noexpiry):
-        """Set the password expiry for a user
+        """Set the account expiry for a user
         
         :param expiry_seconds: expiry time from now in seconds
         :param noexpiry: if set, then don't expire password
@@ -246,3 +255,4 @@ accountExpires: %u
             self.transaction_cancel()
             raise
         self.transaction_commit();
+
diff --git a/source4/setup/setpassword b/source4/setup/setpassword
index 90a217fb6f7..d44f143e636 100755
--- a/source4/setup/setpassword
+++ b/source4/setup/setpassword
@@ -41,6 +41,7 @@ credopts = options.CredentialsOptions(parser)
 parser.add_option_group(credopts)
 parser.add_option("--filter", help="LDAP Filter to set password on", type=str)
 parser.add_option("--newpassword", help="Set password", type=str)
+parser.add_option("--must-change-at-next-login", help="Force password to be changed on next login", action="store_true")
 
 opts, args = parser.parse_args()
 
@@ -74,4 +75,5 @@ creds = credopts.get_credentials(lp)
 
 samdb = SamDB(url=lp.get("sam database"), session_info=system_session(), 
               credentials=creds, lp=lp)
-samdb.setpassword(filter, password)
+samdb.setpassword(filter, password, must_change_at_next_login=opts.must_change_at_next_login)
+
diff --git a/source4/setup/tests/blackbox_setpassword.sh b/source4/setup/tests/blackbox_setpassword.sh
index 89f1aa58582..70061f6ae7b 100755
--- a/source4/setup/tests/blackbox_setpassword.sh
+++ b/source4/setup/tests/blackbox_setpassword.sh
@@ -18,4 +18,6 @@ testit "newuser" $PYTHON ./setup/newuser --configfile=$PREFIX/simple-dc/etc/smb.
 
 testit "setpassword" $PYTHON ./setup/setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testpass
 
+testit "setpassword" $PYTHON ./setup/setpassword --configfile=$PREFIX/simple-dc/etc/smb.conf testuser --newpassword=testpass --must-change-at-next-login
+
 exit $failed
-- 
2.34.1