Bugs fix in "pdb_set_pass_changed_now" on samba3.0-alpha24.
Jianliang Lu
j.lu at tiesse.com
Wed May 21 07:25:46 GMT 2003
> On Wed, 2003-05-21 at 07:25, jra at dp.samba.org wrote:
> > On Tue, May 20, 2003 at 12:11:37PM +0200, Jianliang Lu wrote:
> > > We should apply the password restriction only for a NORMAL USER, not
for a
> > > machine account, otherwise the joindomain will be failed!
>
> Is there any evidence that this has ever occurred? We do not look at
> this attribute when checking machine passwords...
>
Yes! When we applied the "min password age" policy for 1 day time, a
joindomain was failed. After the fix all webt fine.
> > > So a check of "if
> > > (pdb_get_acct_ctrl(sampass)&(ACB_NORMAL))" is needed in
> > > "pdb_set_pass_changed_now" for AP_MAX_PASSWORD_AGE and
AP_MIN_PASSWORD_AGE
> > > policies.
> > >
> > > I have patched the complete password policy on samba3.0 alpha22 (bad
password
> > > attempt lockout, password history ..), and I have also put it on the
mailing
> > > list, but no comments from Samba Team. We would like to have these
pathes
> > > applied to the new version of the Samba 3.0, because our applications
need
> > > these policies.
> > > Should I put again these patches for Samba3.0 a24 on the mailing list?
> >
> > I have them in my patch queue to evaluate (inbox :-). If you could post
> > the latest versions again that would help as I have several versions to
> > look at.
I will repost the last patch for alpha24. I think that at least the "logon
time" patch could be in alpha24.
>
> I've looked at them - and the main problem was the way that they decided
> that you were an admin and exempt. I would actually prefer (given we
> still have unix logins aside from samba) that we lock the admin out with
> everybody else - the other solutions for deciding 'is admin' are just
> too ugly...
>
> As to password history, I don't think this is the right approach, and
> instead we should use the approach suggested in the password quality
> patch - which is to give the problem to an external program.
>
> (One of the measures of quality can be 'not submitted to this program as
> a password to change to recently).
I will look at that patch.
>
> Unfortunately the password quality patch didn't make it into the feature
> freeze because I didn't get time to look over the resubmitted version,
> and there were still some changes that were discussed but not
> implemented in the patch.
>
> Andrew Bartlett
>
> --
> Andrew Bartlett abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team abartlet at samba.org
> Student Network Administrator, Hawker College abartlet at hawkerc.net
> http://samba.org http://build.samba.org http://hawkerc.net
Thanks.
Jianliang Lu
TieSse s.p.a.
Via Jervis, 60. 10015 Ivrea (To) - Italy
j.lu at tiesse.com
luj at libero.it
More information about the samba-technical
mailing list