Bugs fix in "pdb_set_pass_changed_now" on samba3.0-alpha24.
Andrew Bartlett
abartlet at samba.org
Tue May 20 22:16:48 GMT 2003
On Wed, 2003-05-21 at 07:25, jra at dp.samba.org wrote:
> On Tue, May 20, 2003 at 12:11:37PM +0200, Jianliang Lu wrote:
> > We should apply the password restriction only for a NORMAL USER, not for a
> > machine account, otherwise the joindomain will be failed!
Is there any evidence that this has ever occurred? We do not look at
this attribute when checking machine passwords...
> > So a check of "if
> > (pdb_get_acct_ctrl(sampass)&(ACB_NORMAL))" is needed in
> > "pdb_set_pass_changed_now" for AP_MAX_PASSWORD_AGE and AP_MIN_PASSWORD_AGE
> > policies.
> >
> > I have patched the complete password policy on samba3.0 alpha22 (bad password
> > attempt lockout, password history ..), and I have also put it on the mailing
> > list, but no comments from Samba Team. We would like to have these pathes
> > applied to the new version of the Samba 3.0, because our applications need
> > these policies.
> > Should I put again these patches for Samba3.0 a24 on the mailing list?
>
> I have them in my patch queue to evaluate (inbox :-). If you could post
> the latest versions again that would help as I have several versions to
> look at.
I've looked at them - and the main problem was the way that they decided
that you were an admin and exempt. I would actually prefer (given we
still have unix logins aside from samba) that we lock the admin out with
everybody else - the other solutions for deciding 'is admin' are just
too ugly...
As to password history, I don't think this is the right approach, and
instead we should use the approach suggested in the password quality
patch - which is to give the problem to an external program.
(One of the measures of quality can be 'not submitted to this program as
a password to change to recently).
Unfortunately the password quality patch didn't make it into the feature
freeze because I didn't get time to look over the resubmitted version,
and there were still some changes that were discussed but not
implemented in the patch.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030520/a21dba07/attachment.bin
More information about the samba-technical
mailing list