Bugs fix in "pdb_set_pass_changed_now" on samba3.0-alpha24.

Jianliang Lu j.lu at tiesse.com
Wed May 21 07:25:46 GMT 2003 

> On Wed, 2003-05-21 at 07:25, jra at dp.samba.org wrote:
> > On Tue, May 20, 2003 at 12:11:37PM +0200, Jianliang Lu wrote:
> > > We should apply the password restriction only for a NORMAL USER, not 
for a 
> > > machine account, otherwise the joindomain will be failed! 
> 
> Is there any evidence that this has ever occurred?  We do not look at
> this attribute when checking machine passwords...
> 

Yes! When we applied the "min password age" policy for 1 day time, a 
joindomain was failed. After the fix all webt fine.

> > > So a check of "if 
> > > (pdb_get_acct_ctrl(sampass)&(ACB_NORMAL))" is needed in 
> > > "pdb_set_pass_changed_now" for AP_MAX_PASSWORD_AGE and 
AP_MIN_PASSWORD_AGE 
> > > policies.
> > > 
> > > I have patched the complete password policy on samba3.0 alpha22 (bad 
password 
> > > attempt lockout, password history ..),  and I have also put it on the 
mailing 
> > > list, but no comments from Samba Team. We would like to have these 
pathes 
> > > applied to the new version of the Samba 3.0, because our applications 
need 
> > > these policies.
> > > Should I put again these patches for Samba3.0 a24 on the mailing list?
> > 
> > I have them in my patch queue to evaluate (inbox :-). If you could post
> > the latest versions again that would help as I have several versions to
> > look at.

I will repost the last patch for alpha24. I think that at least the "logon 
time" patch could be in alpha24.

> 
> I've looked at them - and the main problem was the way that they decided
> that you were an admin and exempt.  I would actually prefer (given we
> still have unix logins aside from samba) that we lock the admin out with
> everybody else - the other solutions for deciding 'is admin' are just
> too ugly...
> 
> As to password history, I don't think this is the right approach, and
> instead we should use the approach suggested in the password quality
> patch - which is to give the problem to an external program.
> 
> (One of the measures of quality can be 'not submitted to this program as
> a password to change to recently).  

I will look at that patch.
> 
> Unfortunately the password quality patch didn't make it into the feature
> freeze because I didn't get time to look over the resubmitted version,
> and there were still some changes that were discussed but not
> implemented in the patch.  
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net

Thanks.

Jianliang Lu
TieSse s.p.a.
Via Jervis, 60.  10015 Ivrea (To) - Italy
j.lu at tiesse.com
luj at libero.it

More information about the samba-technical mailing list