From: Günther Deschner <gd@samba.org>
Date: Thu, 27 Nov 2008 16:29:30 +0000 (+0100)
Subject: s3-samr: never allow to alter pwdlastset directly.
X-Git-Tag: samba-4.0.0alpha6~480^2~96
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=6a627b440e8b3f42db2a8a27047dd3482bad0d28;p=thirdparty%2Fsamba.git

s3-samr: never allow to alter pwdlastset directly.

Guenther
---

diff --git a/source3/rpc_server/srv_samr_nt.c b/source3/rpc_server/srv_samr_nt.c
index 332d41b1b04..c45be02ab8f 100644
--- a/source3/rpc_server/srv_samr_nt.c
+++ b/source3/rpc_server/srv_samr_nt.c
@@ -3959,6 +3959,11 @@ static NTSTATUS set_user_info_21(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	if (id21->fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+		TALLOC_FREE(pwd);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	/* we need to separately check for an account rename first */
 
 	if (id21->account_name.string &&
@@ -4042,6 +4047,12 @@ static NTSTATUS set_user_info_23(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	if (id23->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+		TALLOC_FREE(pwd);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
+
 	DEBUG(5, ("Attempting administrator password change (level 23) for user %s\n",
 		  pdb_get_username(pwd)));
 
@@ -4220,6 +4231,11 @@ static NTSTATUS set_user_info_25(TALLOC_CTX *mem_ctx,
 		return NT_STATUS_INVALID_PARAMETER;
 	}
 
+	if (id25->info.fields_present & SAMR_FIELD_LAST_PWD_CHANGE) {
+		TALLOC_FREE(pwd);
+		return NT_STATUS_ACCESS_DENIED;
+	}
+
 	copy_id25_to_sam_passwd(pwd, id25);
 
 	/* write the change out */