Bugs fix in "pdb_set_pass_changed_now" on samba3.0-alpha24.

Andrew Bartlett abartlet at samba.org
Tue May 20 22:16:48 GMT 2003


On Wed, 2003-05-21 at 07:25, jra at dp.samba.org wrote:
> On Tue, May 20, 2003 at 12:11:37PM +0200, Jianliang Lu wrote:
> > We should apply the password restriction only for a NORMAL USER, not for a 
> > machine account, otherwise the joindomain will be failed! 

Is there any evidence that this has ever occurred?  We do not look at
this attribute when checking machine passwords...

> > So a check of "if 
> > (pdb_get_acct_ctrl(sampass)&(ACB_NORMAL))" is needed in 
> > "pdb_set_pass_changed_now" for AP_MAX_PASSWORD_AGE and AP_MIN_PASSWORD_AGE 
> > policies.
> > 
> > I have patched the complete password policy on samba3.0 alpha22 (bad password 
> > attempt lockout, password history ..),  and I have also put it on the mailing 
> > list, but no comments from Samba Team. We would like to have these pathes 
> > applied to the new version of the Samba 3.0, because our applications need 
> > these policies.
> > Should I put again these patches for Samba3.0 a24 on the mailing list?
> 
> I have them in my patch queue to evaluate (inbox :-). If you could post
> the latest versions again that would help as I have several versions to
> look at.

I've looked at them - and the main problem was the way that they decided
that you were an admin and exempt.  I would actually prefer (given we
still have unix logins aside from samba) that we lock the admin out with
everybody else - the other solutions for deciding 'is admin' are just
too ugly...

As to password history, I don't think this is the right approach, and
instead we should use the approach suggested in the password quality
patch - which is to give the problem to an external program.

(One of the measures of quality can be 'not submitted to this program as
a password to change to recently).  

Unfortunately the password quality patch didn't make it into the feature
freeze because I didn't get time to look over the resubmitted version,
and there were still some changes that were discussed but not
implemented in the patch.  

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030520/a21dba07/attachment.bin


More information about the samba-technical mailing list