--wuth-tdbsam ?

Andrew Bartlett abartlet at samba.org
Fri Sep 27 01:54:01 GMT 2002 

Steve Langasek wrote:
> 
> On Fri, Sep 27, 2002 at 11:18:01AM +1000, Andrew Bartlett wrote:
> 

> > The problem isn't actually tdbsam, it's smbpasswd.  Smbpasswd is giving
> > out dodgy made up values.  See, we have a policy database that stores
> > the 'max password age' etc, but we don't do 'last change time + max
> > password age = must change time' yet.  I was going to do that, but with
> > a default value of 21 days, it would lock a lot of people out (who would
> > certainly not be expecting it).
> 
> Well, the users aren't going to care /where/ the problem lies if they
> upgrade and find that the defaults cause them to start being locked out
> of their accounts... :)  The fact is that if tdbsam is going to become
> the default and preferred backend, users are going to need some way to
> sanely migrate from smbpasswd to tdbsam.

I honestly doubt tdbsam is sufficiently stable for use as a default.  I
think we need that kind of backend, but given it's extremly limited
testing, it worries me.  Yes, this is circular dependency.  

The way the ldap stuff got around it was that we had a 'pull' from
users, but users by and large don't appriciate the benifits of tdbsam,
so don't go out of their way to use it.

> > Really, people have been using smbpasswd on the assumption that
> > 'password does not expire' was implicity set.  Possibly having an easy
> > tool to set that on every account might be a good idea, but I'm just not
> > sure.
> 
> So then, doesn't it make sense to treat smbpasswd entries as if "password
> does not expire" is set as part of the smbpasswd pdb interface?  Why
> change the semantics of the smbpasswd entry unnecessarily?

Except we have a flag for 'password does not expire' - and we don't have
a sensible way to set a negating flag 'password does expire'.  Forcing
that flag 'on' might be the most sensible choice, except then we get a
mismatch between smbpasswd and the other backends (again...).

Andrew Bartlett
-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list