r13910: Fix the 'your password has expired' on every login. We now consider

if the 'password does not expire' flag has been set, filling in the
PAC and netlogon reply correctly if so.

Andrew Bartlett

source/auth/auth_sam.c

@@ -172,8 +172,7 @@ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
 	
 	acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
 	must_change_time = samdb_result_force_password_change(sam_ctx, mem_ctx, 
-							      domain_dn, msg, 
-							      "pwdLastSet");
+							      domain_dn, msg);
 	last_set_time = samdb_result_nttime(msg, "pwdLastSet", 0);
 
 	workstation_list = samdb_result_string(msg, "userWorkstations", NULL);
@@ -523,12 +522,16 @@ NTSTATUS authsam_make_server_info(TALLOC_CTX *mem_ctx, struct ldb_context *sam_c
 	server_info->acct_expiry = samdb_result_nttime(msg, "accountExpires", 0);
 	server_info->last_password_change = samdb_result_nttime(msg, "pwdLastSet", 0);
 
-	ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", ldb_dn_new(mem_ctx));
-
-	server_info->allow_password_change = samdb_result_allow_password_change(sam_ctx, mem_ctx, 
-							ncname, msg, "pwdLastSet");
-	server_info->force_password_change = samdb_result_force_password_change(sam_ctx, mem_ctx, 
+	ncname = samdb_result_dn(mem_ctx, msg_domain_ref, "nCName", NULL);
+	if (!ncname) {
+		return NT_STATUS_INTERNAL_DB_CORRUPTION;
+	}
+	server_info->allow_password_change
+		= samdb_result_allow_password_change(sam_ctx, mem_ctx, 
 						     ncname, msg, "pwdLastSet");
+	server_info->force_password_change
+		= samdb_result_force_password_change(sam_ctx, mem_ctx, 
+						     ncname, msg);
 	
 	server_info->logon_count = samdb_result_uint(msg, "logonCount", 0);
 	server_info->bad_password_count = samdb_result_uint(msg, "badPwdCount", 0);

source/dsdb/samdb/samdb.c

@@ -29,6 +29,7 @@
 #include "system/filesys.h"
 #include "db_wrap.h"
 #include "dsdb/samdb/samdb.h"
+#include "ads.h"
 
 /*
   connect to the SAM database
@@ -487,12 +488,16 @@ NTTIME samdb_result_allow_password_change(struct ldb_context *sam_ldb,
 NTTIME samdb_result_force_password_change(struct ldb_context *sam_ldb, 
 					  TALLOC_CTX *mem_ctx, 
 					  const struct ldb_dn *domain_dn, 
-					  struct ldb_message *msg, 
-					  const char *attr)
+					  struct ldb_message *msg)
 {
-	uint64_t attr_time = samdb_result_uint64(msg, attr, 0);
+	uint64_t attr_time = samdb_result_uint64(msg, "pwdLastSet", 0);
+	uint32_t user_flags = samdb_result_uint64(msg, "userAccountControl", 0);
 	int64_t maxPwdAge;
 
+	if (user_flags & UF_DONT_EXPIRE_PASSWD) {
+		return 0x7FFFFFFFFFFFFFFFULL;
+	}
+
 	if (attr_time == 0) {
 		return 0;
 	}

source/kdc/hdb-ldb.c

@@ -355,21 +355,19 @@ static krb5_error_code LDB_message2entry(krb5_context context, HDB *db,
 		*entry_ex->entry.valid_end = nt_time_to_unix(acct_expiry);
 	}
 
-	if (!(userAccountControl & UF_DONT_EXPIRE_PASSWD) &&
-	    (ent_type != HDB_LDB_ENT_TYPE_KRBTGT)) {
+	if (ent_type != HDB_LDB_ENT_TYPE_KRBTGT) {
 		NTTIME must_change_time
 			= samdb_result_force_password_change((struct ldb_context *)db->hdb_db, mem_ctx, 
-							     domain_dn, msg, 
-							     "pwdLastSet");
-		if (must_change_time != 0) {
+							     domain_dn, msg);
+		if (must_change_time == 0x7FFFFFFFFFFFFFFFULL) {
+			entry_ex->entry.pw_end = NULL;
+		} else {
 			entry_ex->entry.pw_end = malloc(sizeof(*entry_ex->entry.pw_end));
 			if (entry_ex->entry.pw_end == NULL) {
 				ret = ENOMEM;
 				goto out;
 			}
 			*entry_ex->entry.pw_end = nt_time_to_unix(must_change_time);
-		} else {
-			entry_ex->entry.pw_end = NULL;
 		}
 	} else {
 		entry_ex->entry.pw_end = NULL;

source/rpc_server/samr/dcesrv_samr.c

@@ -1557,7 +1557,7 @@ static NTSTATUS samr_OpenGroup(struct dcesrv_call_state *dce_call, TALLOC_CTX *m
 							   a_state->domain_state->domain_dn, msg, attr);
 #define QUERY_FPASSC(msg, field, attr) \
 	r->out.info->field = samdb_result_force_password_change(a_state->sam_ctx, mem_ctx, \
-							   a_state->domain_state->domain_dn, msg, attr);
+							   a_state->domain_state->domain_dn, msg);
 #define QUERY_LHOURS(msg, field, attr) \
 	r->out.info->field = samdb_result_logon_hours(mem_ctx, msg, attr);
 #define QUERY_AFLAGS(msg, field, attr) \