s4-auth: Use msDS-User-Account-Control-Computed for PW expiry check

This centralises the check rather than checking the time in
multiple spots.

Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Jo Sutton <josutton@catalyst.net.nz>

diff --git a/source4/auth/sam.c b/source4/auth/sam.c
index bd8219d733525d42b49e1740f4b0e528023486d1..90b6348236952c5a0c90225c0bfe6a9319152d47 100644 (file)
--- a/source4/auth/sam.c
+++ b/source4/auth/sam.c
@@ -260,7 +260,7 @@ _PUBLIC_ NTSTATUS authsam_account_ok(TALLOC_CTX *mem_ctx,
        }
 
        /* check for expired password (but not if this is a password change request) */
-       if ((must_change_time < now) && !password_change) {
+       if ((acct_flags & ACB_PW_EXPIRED) && !password_change) {
                DEBUG(2,("sam_account_ok: Account for user '%s' password expired!.\n",
                         name_for_logs));
                DEBUG(2,("sam_account_ok: Password expired at '%s' unix time.\n",