--- passdb/passdb.c.orig	2012-04-07 23:23:20.000000000 +1000
+++ passdb/passdb.c	2012-04-11 09:51:09.000000000 +1000
@@ -877,20 +877,48 @@
 					"Failed to unset 'disabled' flag for "
 					"user %s.\n", user_name);
 			if (ret < 0) {
 				*pp_err_str = NULL;
 			}
 			result = NT_STATUS_UNSUCCESSFUL;
 			goto done;
 		}
 	}
 
+/* PSz 19 Aug 04 - old comments
+ * Above it said "just write ... the valid last change time"
+ * but I do not see that set anywhere (left at 0 since pdb_init_sam?).
+ * 
+ * PSz 15 Jan 2010
+ * Above sets last change time to now (within pdb_set_plaintext_passwd).
+ * When creating a new user, set last change time back twenty years.
+ * 
+ * Makes sense to use current time. But, we want something like pre-expired
+ * passwords: set up students with a default password and force them to
+ * change it upon first login.
+ * 
+ * Seems that must_change_time is not supported (in smbpasswd file).
+ * We could set time to 0 or something else fixed; instead we set it back
+ * by twenty years (so may still figure out when this really was done).
+ * Chose 20: wanted a decade, round number, easy counting of leap years.
+ * The detection of any such "special" last-change-time, and forcing a
+ * password change, need to go elsewhere (in Mike's login scripts).
+ */
+	if (local_flags & LOCAL_ADD_USER) {
+		time_t mytime;
+		mytime = time(NULL);
+		if (mytime > (20*365+5)*24*3600) {
+			mytime -= (20*365+5)*24*3600;
+			pdb_set_pass_last_set_time (sam_pass, mytime, PDB_CHANGED);
+		}
+	}
+
 	/* now commit changes if any */
 	result = pdb_update_sam_account(sam_pass);
 	if (!NT_STATUS_IS_OK(result)) {
 		ret = asprintf(pp_err_str,
 				"Failed to modify entry for user %s.\n",
 				user_name);
 		if (ret < 0) {
 			*pp_err_str = NULL;
 		}
 		goto done;
--- printing/print_standard.c.orig	2012-04-07 23:23:20.000000000 +1000
+++ printing/print_standard.c	2012-04-11 09:51:09.000000000 +1000
@@ -78,51 +78,73 @@
 			continue;
 
 		/* now we have a real printer line - cut at the first : */
 		if ((p = strchr_m(pcap_line, ':')) != NULL)
 			*p = 0;
 
 		/*
 		 * now find the most likely printer name and comment
 		 * this is pure guesswork, but it's better than nothing
 		 */
+/* PSz  7 Apr 05 */
+/*
+ * Pure bogosity I say...
+ * I need all my printers: all aliases please.
+ * Reading line-by-line you may not see a comment: not always like
+ *   lp|My printer:stuff:
+ * but could be
+ *   lp1|lp2|
+ *   lp3|No comment
+ *   :stuff
+ * instead.
+ */
 		for (*name = *comment = 0, p = pcap_line; p != NULL; p = q) {
 			bool has_punctuation;
 
 			if ((q = strchr_m(p, '|')) != NULL)
 				*q++ = 0;
 
 			has_punctuation = (strchr_m(p, ' ') ||
 			                   strchr_m(p, '\t') ||
 					   strchr_m(p, '"') ||
 					   strchr_m(p, '\'') ||
 					   strchr_m(p, ';') ||
 					   strchr_m(p, ',') ||
 			                   strchr_m(p, '(') ||
 			                   strchr_m(p, ')'));
-
-			if (strlen(p) > strlen(comment) && has_punctuation) {
-				strlcpy(comment, p, sizeof(comment));
-				continue;
-			}
-
-			if (strlen(p) <= MAXPRINTERLEN && *name == '\0' && !has_punctuation) {
+			if (strlen(p) > 0 && strlen(p) <= MAXPRINTERLEN && !has_punctuation) {
 				strlcpy(name, p, sizeof(name));
-				continue;
-			}
-
-			if (!strchr_m(comment, ' ') &&
-			    strlen(p) > strlen(comment)) {
-				strlcpy(comment, p, sizeof(comment));
-				continue;
+				if (*name && !pcap_cache_add(name, comment, NULL)) {
+					x_fclose(pcap_file);
+					return false;
+				}
 			}
 		}
 
-		if (*name && !pcap_cache_add(name, comment, NULL)) {
-			x_fclose(pcap_file);
-			return false;
-		}
+/*
+ *			if (strlen(p) > strlen(comment) && has_punctuation) {
+ *				strlcpy(comment, p, sizeof(comment));
+ *				continue;
+ *			}
+ *
+ *			if (strlen(p) <= MAXPRINTERLEN && *name == '\0' && !has_punctuation) {
+ *				strlcpy(name, p, sizeof(name));
+ *				continue;
+ *			}
+ *
+ *			if (!strchr_m(comment, ' ') &&
+ *			    strlen(p) > strlen(comment)) {
+ *				strlcpy(comment, p, sizeof(comment));
+ *				continue;
+ *			}
+ *		}
+ *
+ *		if (*name && !pcap_cache_add(name, comment, NULL)) {
+ *			x_fclose(pcap_file);
+ *			return false;
+ *		}
+*/
 	}
 
 	x_fclose(pcap_file);
 	return true;
 }
--- smbd/conn.c.orig	2012-04-07 23:23:20.000000000 +1000
+++ smbd/conn.c	2012-04-11 09:51:09.000000000 +1000
@@ -231,21 +231,28 @@
 				TALLOC_FREE(tcon);
 				ret = true;
 			}
 		}
 	} else {
 		/* SMB1 */
 		connection_struct *conn, *next;
 
 		for (conn=sconn->smb1.tcons.Connections;conn;conn=next) {
 			next=conn->next;
-			set_current_service(conn, 0, True);
+/* PSz  6 Apr 05 */
+/*
+ * We are dropping connections, do not care about the return status of
+ * set_current_service: should not bother with do_chdir.
+ * (Often we do this with EUID=0, the user directories are NFS-mounted,
+ * so the chdir cannot succeed.)
+ */
+			set_current_service(conn, 0, False);
 			close_cnum(conn, conn->vuid);
 			ret = true;
 		}
 	}
 	return ret;
 }
 
 /****************************************************************************
  Update last used timestamps.
 ****************************************************************************/
--- smbd/process.c.orig	2012-04-07 23:23:20.000000000 +1000
+++ smbd/process.c	2012-04-11 09:51:09.000000000 +1000
@@ -1545,22 +1545,46 @@
 			/* encrypted required from now on. */
 			conn->encrypt_level = Required;
 		} else if (ENCRYPTION_REQUIRED(conn)) {
 			if (req->cmd != SMBtrans2 && req->cmd != SMBtranss2) {
 				exit_server_cleanly("encryption required "
 					"on connection");
 				return conn;
 			}
 		}
 
-		if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
+/* PSz  6 Apr 05 */
+/*
+ * Hmm:
+ *   if !(flags & AS_USER) then we done change_to_root_user();
+ *   if (flags & DO_CHDIR) then we will use do_chdir on set_current_service().
+ * This is likely to fail: the directory may be NFS-mounted and exported
+ * with root_squash (so has no root access).
+ * Fail it here and now, not going through the shame of a possibly failed
+ * chdir? The failed chdirs did not seem to affect any functionality (?!),
+ * so this should not either.
+ * In fact failing now seems to cause shares never to disconnect and smbd
+ * processes to "linger" forever. Do not fail, but do not use do_chdir.
+ * Use do_chdir only with AS_USER, ignore DO_CHDIR: I would not expect it
+ * to be needed for SMBexit and SMBtdis.
+ */
+/*
+*if ((!(flags & AS_USER)) && (flags & DO_CHDIR)) {
+*DEBUG(1,("PSz: Fail now, not in chdir(%s) within set_current_service (EUID is %d)\n", conn->connectpath, (int)geteuid() ));
+*			return(ERROR_DOS(ERRSRV,ERRaccess));
+*}
+*/
+/*		if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
 					 (flags & (AS_USER|DO_CHDIR)
+					  ?True:False))) { */
+		if (!set_current_service(conn,SVAL(req->inbuf,smb_flg),
+					 (flags & AS_USER
 					  ?True:False))) {
 			reply_nterror(req, NT_STATUS_ACCESS_DENIED);
 			return conn;
 		}
 		conn->num_smb_operations++;
 	}
 
 	/* does this protocol need to be run as guest? */
 	if ((flags & AS_GUEST)
 	    && (!change_to_guest() ||
--- smbd/server.c.orig	2012-04-07 23:23:20.000000000 +1000
+++ smbd/server.c	2012-04-11 09:51:09.000000000 +1000
@@ -449,20 +449,42 @@
 	 */
 	generate_random_buffer((uint8_t *)&unique_id, sizeof(unique_id));
 
 	pid = sys_fork();
 	if (pid == 0) {
 		NTSTATUS status = NT_STATUS_OK;
 
 		/* Child code ... */
 		am_parent = 0;
 
+/*
+ * PSz 29 Aug 02: Protect agains run-away processes
+ * (seen with client PC crashes).
+ * Easier to have this limit than to find the bug...
+ * Not too short: matlab is a hog, and so is Sonia's music.
+ * Just under nicejobs limit, which has been extended to 25 minutes.
+ */
+#ifdef HAVE_GETRLIMIT
+#ifdef RLIMIT_CPU
+	{
+		struct rlimit rlp;
+		getrlimit(RLIMIT_CPU, &rlp);
+		rlp.rlim_cur = MIN(1490,rlp.rlim_cur);
+		rlp.rlim_max = MIN(1495,rlp.rlim_max);
+		setrlimit(RLIMIT_CPU, &rlp);
+		getrlimit(RLIMIT_CPU, &rlp);
+		DEBUG(1,("CPU limits now %d %d\n",
+			 (int)rlp.rlim_cur,(int)rlp.rlim_max));
+	}
+#endif
+#endif
+
 		set_my_unique_id(unique_id);
 
 		/* Stop zombies, the parent explicitly handles
 		 * them, counting worker smbds. */
 		CatchChild();
 
 		/* close our standard file
 		   descriptors */
 		close_low_fds(False);
 
--- utils/smbpasswd.c.orig	2012-04-07 23:23:20.000000000 +1000
+++ utils/smbpasswd.c	2012-04-11 09:51:09.000000000 +1000
@@ -363,20 +363,38 @@
 		 */
 
 		if (user_name[strlen(user_name)-1] == '$') {
 			user_name[strlen(user_name)-1] = 0;
 		}
 
 		if (local_flags & LOCAL_ADD_USER) {
 		        SAFE_FREE(new_passwd);
 			new_passwd = smb_xstrdup(user_name);
 			strlower_m(new_passwd);
+/* PSz 24 Mar 04
+ * Should not we use some random password instead?
+ * Would that solve the problem hinted at in howto/domain-member.html :
+ * 
+     Manually creating a Machine Trust Account using this method is the
+     equivalent of creating a Machine Trust Account on a Windows NT PDC
+     using the Server Manager. From the time at which the account is
+     created to the time the client joins the domain and changes the
+     password, your domain is vulnerable to an intruder joining your domain
+     using a machine with the same NetBIOS name. A PDC inherently trusts
+     members of the domain and will serve out a large degree of user
+     information to such clients. You have been warned! 
+ * 
+ * ?
+ * I do not think we ever use the fact that the client could "know" the
+ * machine password: our join-domain-without-root allows for any (left-over)
+ * passwords.
+ */
 		}
 
 		/*
 		 * Now ensure the username ends in '$' for
 		 * the machine add.
 		 */
 
 		slprintf(buf, sizeof(buf)-1, "%s$", user_name);
 		fstrcpy(user_name, buf);
 	} else if (local_flags & LOCAL_INTERDOM_ACCOUNT) {