Fix bug #7054 - X account flag does not work when pwdlastset is 0.

[sfrench/samba-autobuild/.git] / source3 / rpc_server / samr / srv_samr_util.c

diff --git a/source3/rpc_server/samr/srv_samr_util.c b/source3/rpc_server/samr/srv_samr_util.c
index 29123321f86f255b8711470cb6d9df8c7148a694..d052846b2e5b756488f207affae3ba678e2263dd 100644 (file)
--- a/source3/rpc_server/samr/srv_samr_util.c
+++ b/source3/rpc_server/samr/srv_samr_util.c
@@ -612,7 +612,16 @@ void copy_id21_to_sam_passwd(const char *log_prefix,
                DEBUG(10,("%s SAMR_FIELD_EXPIRED_FLAG: %02X\n", l,
                        from->password_expired));
                if (from->password_expired != 0) {
-                       pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
+                       /* Only allow the set_time to zero (which means
+                          "User Must Change Password on Next Login"
+                          if the user object allows password change. */
+                       if (pdb_get_pass_can_change(to)) {
+                               pdb_set_pass_last_set_time(to, 0, PDB_CHANGED);
+                       } else {
+                               DEBUG(10,("%s Disallowing set of 'User Must "
+                                       "Change Password on Next Login' as "
+                                       "user object disallows this.\n", l));
+                       }
                } else {
                        /* A subtlety here: some windows commands will
                           clear the expired flag even though it's not