Bugs fix in "pdb_set_pass_changed_now" on samba3.0-alpha24.

Andrew Bartlett abartlet at samba.org
Tue May 20 22:16:48 GMT 2003

On Wed, 2003-05-21 at 07:25, jra at dp.samba.org wrote:
> On Tue, May 20, 2003 at 12:11:37PM +0200, Jianliang Lu wrote:
> > We should apply the password restriction only for a NORMAL USER, not for a 
> > machine account, otherwise the joindomain will be failed! 

Is there any evidence that this has ever occurred?  We do not look at
this attribute when checking machine passwords...

> > So a check of "if 
> > (pdb_get_acct_ctrl(sampass)&(ACB_NORMAL))" is needed in 
> > "pdb_set_pass_changed_now" for AP_MAX_PASSWORD_AGE and AP_MIN_PASSWORD_AGE 
> > policies.
> > 
> > I have patched the complete password policy on samba3.0 alpha22 (bad password 
> > attempt lockout, password history ..),  and I have also put it on the mailing 
> > list, but no comments from Samba Team. We would like to have these pathes 
> > applied to the new version of the Samba 3.0, because our applications need 
> > these policies.
> > Should I put again these patches for Samba3.0 a24 on the mailing list?
> I have them in my patch queue to evaluate (inbox :-). If you could post
> the latest versions again that would help as I have several versions to
> look at.

I've looked at them - and the main problem was the way that they decided
that you were an admin and exempt.  I would actually prefer (given we
still have unix logins aside from samba) that we lock the admin out with
everybody else - the other solutions for deciding 'is admin' are just
too ugly...

As to password history, I don't think this is the right approach, and
instead we should use the approach suggested in the password quality
patch - which is to give the problem to an external program.

(One of the measures of quality can be 'not submitted to this program as
a password to change to recently).  

Unfortunately the password quality patch didn't make it into the feature
freeze because I didn't get time to look over the resubmitted version,
and there were still some changes that were discussed but not
implemented in the patch.  

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030520/a21dba07/attachment.bin

More information about the samba-technical mailing list