--- passdb/passdb.c.orig	2008-05-28 22:41:11.000000000 +1000
+++ passdb/passdb.c	2008-05-29 09:30:41.649805591 +1000
@@ -779,6 +779,28 @@
 	}	
 
 	if (local_flags & LOCAL_ADD_USER) {
+/* PSz 19 Aug 04
+ * Above it said "just write ... the valid last change time"
+ * but I do not see that set anywhere (left at 0 since pdb_init_sam?).
+ * Anyway I do not want 0 or now.
+ * 
+ * Makes sense to use current time. But, we want something like pre-expired
+ * passwords: set up students with a default password and force them to
+ * change it upon first login.
+ * 
+ * Seems that must_change_time is not supported (in smbpasswd file).
+ * We could set time to 0 or something else fixed; instead we set it back
+ * by twenty years (so may still figure out when this really was done).
+ * Chose 20: wanted a decade, round number, easy counting of leap years.
+ * The detection of any such "special" last-change-time, and forcing a
+ * password change, need to go elsewhere (in Mike's login scripts).
+ */
+		{
+			time_t mytime;
+			mytime = time(NULL);
+			if (mytime > (20*365+5)*24*3600) mytime -= (20*365+5)*24*3600;
+			pdb_set_pass_last_set_time(sam_pass, mytime, PDB_CHANGED);
+		}
 		if (NT_STATUS_IS_OK(pdb_add_sam_account(sam_pass))) {
 			slprintf(msg_str, msg_str_len-1, "Added user %s.\n", user_name);
 			TALLOC_FREE(sam_pass);
--- printing/pcap.c.orig	2008-05-28 22:41:11.000000000 +1000
+++ printing/pcap.c	2008-05-29 09:30:41.683806765 +1000
@@ -175,6 +175,18 @@
 		 * now find the most likely printer name and comment 
 		 * this is pure guesswork, but it's better than nothing
 		 */
+/* PSz  7 Apr 05 */
+/*
+ * Pure bogosity I say...
+ * I need all my printers: all aliases please.
+ * Reading line-by-line you may not see a comment: not always like
+ *   lp|My printer:stuff:
+ * but could be
+ *   lp1|lp2|
+ *   lp3|No comment
+ *   :stuff
+ * instead.
+ */
 		for (*name = *comment = 0, p = pcap_line; p != NULL; p = q) {
 			BOOL has_punctuation;
 
@@ -185,35 +197,46 @@
 			                   strchr_m(p, '\t') ||
 			                   strchr_m(p, '(') ||
 			                   strchr_m(p, ')'));
-
-			if (strlen(p) > strlen(comment) && has_punctuation) {
-				pstrcpy(comment, p);
-				continue;
-			}
-
-			if (strlen(p) <= MAXPRINTERLEN &&
-			    strlen(p) > strlen(name) && !has_punctuation) {
-				if (!*comment)
-					pstrcpy(comment, name);
-
+			if (strlen(p) > 0 && !has_punctuation) {
 				pstrcpy(name, p);
-				continue;
-			}
-
-			if (!strchr_m(comment, ' ') &&
-			    strlen(p) > strlen(comment)) {
-				pstrcpy(comment, p);
-				continue;
+				name[MAXPRINTERLEN] = 0;
+				if (*name && !pcap_cache_add(name, comment)) {
+					x_fclose(pcap_file);
+					goto done;
+				}
 			}
 		}
 
-		comment[60] = 0;
-		name[MAXPRINTERLEN] = 0;
-
-		if (*name && !pcap_cache_add(name, comment)) {
-			x_fclose(pcap_file);
-			goto done;
-		}
+/*
+ *			if (strlen(p) > strlen(comment) && has_punctuation) {
+ *				pstrcpy(comment, p);
+ *				continue;
+ *			}
+ *
+ *			if (strlen(p) <= MAXPRINTERLEN &&
+ *			    strlen(p) > strlen(name) && !has_punctuation) {
+ *				if (!*comment)
+ *					pstrcpy(comment, name);
+ *
+ *				pstrcpy(name, p);
+ *				continue;
+ *			}
+ *
+ *			if (!strchr_m(comment, ' ') &&
+ *			    strlen(p) > strlen(comment)) {
+ *				pstrcpy(comment, p);
+ *				continue;
+ *			}
+ *		}
+ *
+ *		comment[60] = 0;
+ *		name[MAXPRINTERLEN] = 0;
+ *
+ *		if (*name && !pcap_cache_add(name, comment)) {
+ *			x_fclose(pcap_file);
+ *			goto done;
+ *		}
+ */
 	}
 
 	x_fclose(pcap_file);
--- smbd/conn.c.orig	2008-05-28 22:41:11.000000000 +1000
+++ smbd/conn.c	2008-05-29 09:30:41.706807558 +1000
@@ -177,7 +177,14 @@
 	connection_struct *conn, *next;
 	for (conn=Connections;conn;conn=next) {
 		next=conn->next;
-		set_current_service(conn, 0, True);
+/* PSz  6 Apr 05 */
+/*
+ * We are dropping connections, do not care about the return status of
+ * set_current_service: should not bother with do_chdir.
+ * (Often we do this with EUID=0, the user directories are NFS-mounted,
+ * so the chdir cannot succeed.)
+ */
+		set_current_service(conn, 0, False);
 		close_cnum(conn, conn->vuid);
 	}
 }
--- smbd/process.c.orig	2008-05-28 22:41:11.000000000 +1000
+++ smbd/process.c	2008-05-29 09:30:41.745808904 +1000
@@ -988,7 +988,29 @@
 
 		/* load service specific parameters */
 		if (conn) {
-			if (!set_current_service(conn,SVAL(inbuf,smb_flg),(flags & (AS_USER|DO_CHDIR)?True:False))) {
+/* PSz  6 Apr 05 */
+/*
+ * Hmm:
+ *   if !(flags & AS_USER) then we done change_to_root_user();
+ *   if (flags & DO_CHDIR) then we will use do_chdir on set_current_service().
+ * This is likely to fail: the directory may be NFS-mounted and exported
+ * with root_squash (so has no root access).
+ * Fail it here and now, not going through the shame of a possibly failed
+ * chdir? The failed chdirs did not seem to affect any functionality (?!),
+ * so this should not either.
+ * In fact failing now seems to cause shares never to disconnect and smbd
+ * processes to "linger" forever. Do not fail, but do not use do_chdir.
+ * Use do_chdir only with AS_USER, ignore DO_CHDIR: I would not expect it
+ * to be needed for SMBexit and SMBtdis.
+ */
+/*
+*if ((!(flags & AS_USER)) && (flags & DO_CHDIR)) {
+*DEBUG(1,("PSz: Fail now, not in chdir(%s) within set_current_service (EUID is %d)\n", conn->connectpath, (int)geteuid() ));
+*			return(ERROR_DOS(ERRSRV,ERRaccess));
+*}
+*/
+/*			if (!set_current_service(conn,SVAL(inbuf,smb_flg),(flags & (AS_USER|DO_CHDIR)?True:False))) { */
+			if (!set_current_service(conn,SVAL(inbuf,smb_flg),(flags & AS_USER?True:False))) {
 				return(ERROR_DOS(ERRSRV,ERRaccess));
 			}
 			conn->num_smb_operations++;
--- smbd/server.c.orig	2008-05-28 22:41:11.000000000 +1000
+++ smbd/server.c	2008-05-29 09:30:41.784810250 +1000
@@ -551,6 +551,28 @@
 				   descriptors */
 				close_low_fds(False);
 				am_parent = 0;
+
+/*
+ * PSz 29 Aug 02: Protect agains run-away processes
+ * (seen with client PC crashes).
+ * Easier to have this limit than to find the bug...
+ * Not too short: matlab is a hog, and so is Sonia's music.
+ * Just under nicejobs limit, which has been extended to 25 minutes.
+ */
+#ifdef HAVE_GETRLIMIT
+#ifdef RLIMIT_CPU
+	{
+		struct rlimit rlp;
+		getrlimit(RLIMIT_CPU, &rlp);
+		rlp.rlim_cur = MIN(1490,rlp.rlim_cur);
+		rlp.rlim_max = MIN(1495,rlp.rlim_max);
+		setrlimit(RLIMIT_CPU, &rlp);
+		getrlimit(RLIMIT_CPU, &rlp);
+		DEBUG(1,("CPU limits now %d %d\n",
+			 (int)rlp.rlim_cur,(int)rlp.rlim_max));
+	}
+#endif
+#endif
 				
 				set_socket_options(smbd_server_fd(),"SO_KEEPALIVE");
 				set_socket_options(smbd_server_fd(),user_socket_options);
--- utils/smbpasswd.c.orig	2008-05-28 22:41:11.000000000 +1000
+++ utils/smbpasswd.c	2008-05-29 09:30:41.809811112 +1000
@@ -363,6 +363,24 @@
 		        SAFE_FREE(new_passwd);
 			new_passwd = smb_xstrdup(user_name);
 			strlower_m(new_passwd);
+/* PSz 24 Mar 04
+ * Should not we use some random password instead?
+ * Would that solve the problem hinted at in howto/domain-member.html :
+ * 
+     Manually creating a Machine Trust Account using this method is the
+     equivalent of creating a Machine Trust Account on a Windows NT PDC
+     using the Server Manager. From the time at which the account is
+     created to the time the client joins the domain and changes the
+     password, your domain is vulnerable to an intruder joining your domain
+     using a machine with the same NetBIOS name. A PDC inherently trusts
+     members of the domain and will serve out a large degree of user
+     information to such clients. You have been warned! 
+ * 
+ * ?
+ * I do not think we ever use the fact that the client could "know" the
+ * machine password: our join-domain-without-root allows for any (left-over)
+ * passwords.
+ */
 		}
 
 		/*