From b42c489180474627270e09408f84841baa175157 Mon Sep 17 00:00:00 2001
From: Jo Sutton <josutton@catalyst.net.nz>
Date: Tue, 11 Jun 2024 14:58:11 +1200
Subject: [PATCH] s4:auth: Handle expired accounts in authsam_account_ok() (CID
 1603594)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We check the ACB_PW_EXPIRED bit to determine whether the account is
expired. Since ACB_PW_EXPIRED can’t be represented in a 16‐bit integer,
we must increase the width of acct_flags so as not to lose that bit.

Signed-off-by: Jo Sutton <josutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
---
 source4/auth/sam.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index 963f3d4027c..093d29080ec 100644
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -213,7 +213,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 				     bool allow_domain_trust,
 				     bool password_change)
 {
-	uint16_t acct_flags;
+	uint32_t acct_flags;
 	const char *workstation_list;
 	NTTIME acct_expiry;
 	NTTIME must_change_time;