user cannot change password code

[Jim McDonough]

I've finally gotten through the code for enabling the "User cannot change
password" checkbox in usrmgr.  I've still got some verification to do of
password changes, but the code so far is in
http://people.samba.org/bzr/jmcd/SAMBA_3_0-pw.bzr/ at revision 3407.  I'll
need to add some wraparound checks and the ldap backend code, I know...

What I've noticed on the wire is this behavior:

- Under 'normal' circumstances, the "can change" and "must change" times are
caculated based on the account policies and "last set" time

- When the "user must change password at next logon" box is checked, the
"last set", "can change", and "must change" times are all zero.  If the user
changes the password or the box is unchecked, the "last set" time goes to
current.

- When the "user cannot change password" box is checked, the times are still
caluated, but the security descriptor returned has the x00000040 bit off in
_both_ the S-1-1-0 SID and the domain user sid.

So in normal circumstances, pdb_get_can_change time will be calculated, but
if it is max_time_t, it can be interpreted to mean that the password cannot
be set.  I had to add a separate BOOL pdb_get_pass_can_change() that checks
this, and also a pdb_get_password_can_change_time_noncalc() because on
setting up the tdb_pack(), it was getting the calculated time, and writing
that back out.