user password expiration patch (Samba 2.2.4/2.2.5 PDC with LDAP)

Marcus Linke Marcus.Linke at fh-stralsund.de
Thu Jul 18 02:23:02 GMT 2002


the following problem occurs when using samba 2.2.4 or 2.2.5 with ldap 
support as PDC:

any time when a user logs on he is asked to change his/her password.
whether he change it or not he will be asked again next time he logs on.
this is annoying.

the reason is, that the LDAP attribute 'pwdMustChange' is not updated at all. 
the easiest way to solve this to set the attribute to the highest possible 
value so the user will be never asked.

maybe a better solution is a new smb.conf parameter for example 'user 
password exipration' that describes the time a new user password is valid.
to handle this new option we have patched the related files.

this patch has already been sent to samba-patches at samba.org but was probably 
deleted. may be there was a problem with our mail or the jitterbug system.

were nice to integrate this patch into the official samba release, because we 
need this functionality here at our university.

any suggestions?

diff -ur --new-file samba.org/source/param/loadparm.c 
samba-2.2.4/source/param/loadparm.c
--- samba.org/source/param/loadparm.c	Fri May  3 03:03:25 2002
+++ samba-2.2.4/source/param/loadparm.c	Thu Jun  6 16:49:53 2002
@@ -204,6 +204,7 @@
 	int client_code_page;
 	int announce_as;	/* This is initialised in init_globals */
 	int machine_password_timeout;
+	int user_password_expiration;
 	int change_notify_timeout;
 	int stat_cache_size;
 	int map_to_guest;
@@ -953,6 +954,8 @@
 #endif /* USING_GROUPNAME_MAP */
 	
 	{"machine password timeout", P_INTEGER, P_GLOBAL, 
&Globals.machine_password_timeout, NULL, NULL, 0},
+	
+	{"user password expiration", P_INTEGER, P_GLOBAL, 
&Globals.user_password_expiration, NULL, NULL, 0},
 
 	{"Logon Options", P_SEP, P_SEPARATOR},
 	
@@ -1327,6 +1330,7 @@
 	Globals.max_wins_ttl = 60 * 60 * 24 * 6;	/* 6 days default. */
 	Globals.min_wins_ttl = 60 * 60 * 6;	/* 6 hours default. */
 	Globals.machine_password_timeout = 60 * 60 * 24 * 7;	/* 7 days default. */
+	Globals.user_password_expiration = 60 * 60 * 24 * 21;	/* 21 days default. */
 	Globals.change_notify_timeout = 60;	/* 1 minute default. */
 	Globals.ReadSize = 16 * 1024;
 	Globals.lm_announce = 2;	/* = Auto: send only if LM clients found */
@@ -1673,6 +1677,7 @@
 FN_GLOBAL_INTEGER(lp_lm_announce, &Globals.lm_announce)
 FN_GLOBAL_INTEGER(lp_lm_interval, &Globals.lm_interval)
 FN_GLOBAL_INTEGER(lp_machine_password_timeout, 
&Globals.machine_password_timeout)
+FN_GLOBAL_INTEGER(lp_user_password_expiration, 
&Globals.user_password_expiration)
 FN_GLOBAL_INTEGER(lp_change_notify_timeout, &Globals.change_notify_timeout)
 FN_GLOBAL_INTEGER(lp_stat_cache_size, &Globals.stat_cache_size)
 FN_GLOBAL_INTEGER(lp_map_to_guest, &Globals.map_to_guest)
diff -ur --new-file samba.org/source/passdb/pdb_ldap.c 
samba-2.2.4/source/passdb/pdb_ldap.c
--- samba.org/source/passdb/pdb_ldap.c	Fri May  3 03:03:26 2002
+++ samba-2.2.4/source/passdb/pdb_ldap.c	Fri Jun  7 14:39:10 2002
@@ -608,7 +608,7 @@
 	slprintf (temp, sizeof (temp) - 1, "%li", 
pdb_get_pass_can_change_time(sampass));
 	make_a_mod(mods, ldap_state, "pwdCanChange", temp);
 
-	slprintf (temp, sizeof (temp) - 1, "%li", 
pdb_get_pass_must_change_time(sampass));
+	slprintf (temp, sizeof (temp) - 1, "%li", 
time(NULL)+lp_user_password_expiration()); 
 	make_a_mod(mods, ldap_state, "pwdMustChange", temp);
 
 	/* displayName, cn, and gecos should all be the same
diff -ur --new-file samba.org/source/passdb/pdb_smbpasswd.c 
samba-2.2.4/source/passdb/pdb_smbpasswd.c
--- samba.org/source/passdb/pdb_smbpasswd.c	Sun Feb  3 01:46:49 2002
+++ samba-2.2.4/source/passdb/pdb_smbpasswd.c	Thu Jun  6 17:11:02 2002
@@ -1222,10 +1222,11 @@
 	
 	pdb_set_dir_drive     (sam_pass, lp_logon_drive(), False);
 
-	/* FIXME!!  What should this be set to?  New smb.conf parameter maybe?
-	   max password age?   For now, we'll use the current time + 21 days. 
-	   --jerry */
-	pdb_set_pass_must_change_time (sam_pass, time(NULL)+1814400);
+	/* to jerry --   
+	   FIXED!! New smb.conf parameter "user password expiration"
+	   default is 21 days in sec. 
+	   --marcus & fred */
+	pdb_set_pass_must_change_time (sam_pass, 
time(NULL)+lp_user_password_expiration());
 
 	/* check if this is a user account or a machine account */
 	if (samlogon_user[strlen(samlogon_user)-1] != '$')
diff -ur --new-file samba.org/source/passdb/pdb_tdb.c 
samba-2.2.4/source/passdb/pdb_tdb.c
--- samba.org/source/passdb/pdb_tdb.c	Fri May  3 03:03:27 2002
+++ samba-2.2.4/source/passdb/pdb_tdb.c	Fri Jun  7 14:48:27 2002
@@ -289,7 +289,7 @@
 	logoff_time = (uint32)pdb_get_logoff_time(sampass);
 	kickoff_time = (uint32)pdb_get_kickoff_time(sampass);
 	pass_can_change_time = (uint32)pdb_get_pass_can_change_time(sampass);
-	pass_must_change_time = (uint32)pdb_get_pass_must_change_time(sampass);
+	pass_must_change_time = (uint32) time(NULL)+lp_user_password_expiration(); 
 	pass_last_set_time = (uint32)pdb_get_pass_last_set_time(sampass);
 
 









More information about the samba-technical mailing list