R: Bugs fix in "pdb_set_pass_changed_now" on samba3.0-alpha24: ob servation

PINTO ELIA PINTO.ELIA at INSEDIA.INTERBUSINESS.IT
Wed May 21 14:59:02 GMT 2003 

I mostly agree with the approc that Mr. Jianliang does.
As the nt and lm password hash are in the samba ldap schema as would be the
nt and lm password hash necessary for the password history( also bad
password attempt, last logon). IMHO, using ldap replication(the right
choice, isn't it?) as an alternative for MS-RPC "SAM replication" between a
PDC/BDC samba require that these attribute are replicated as well.  

Regard

-----Messaggio originale-----
Da: Jianliang Lu [mailto:j.lu at tiesse.com]
Inviato: mercoledì 21 maggio 2003 9.26
A: samba-technical at lists.samba.org
Cc: PINTO.ELIA at insedia.interbusiness.it
Oggetto: Re: Bugs fix in "pdb_set_pass_changed_now" on samba3.0-alpha24.


> On Wed, 2003-05-21 at 07:25, jra at dp.samba.org wrote:
> > On Tue, May 20, 2003 at 12:11:37PM +0200, Jianliang Lu wrote:
> > > We should apply the password restriction only for a NORMAL USER, not 
for a 
> > > machine account, otherwise the joindomain will be failed! 
> 
> Is there any evidence that this has ever occurred?  We do not look at
> this attribute when checking machine passwords...
> 

Yes! When we applied the "min password age" policy for 1 day time, a 
joindomain was failed. After the fix all webt fine.

> > > So a check of "if 
> > > (pdb_get_acct_ctrl(sampass)&(ACB_NORMAL))" is needed in 
> > > "pdb_set_pass_changed_now" for AP_MAX_PASSWORD_AGE and 
AP_MIN_PASSWORD_AGE 
> > > policies.
> > > 
> > > I have patched the complete password policy on samba3.0 alpha22 (bad 
password 
> > > attempt lockout, password history ..),  and I have also put it on the 
mailing 
> > > list, but no comments from Samba Team. We would like to have these 
pathes 
> > > applied to the new version of the Samba 3.0, because our applications 
need 
> > > these policies.
> > > Should I put again these patches for Samba3.0 a24 on the mailing list?
> > 
> > I have them in my patch queue to evaluate (inbox :-). If you could post
> > the latest versions again that would help as I have several versions to
> > look at.

I will repost the last patch for alpha24. I think that at least the "logon 
time" patch could be in alpha24.

> 
> I've looked at them - and the main problem was the way that they decided
> that you were an admin and exempt.  I would actually prefer (given we
> still have unix logins aside from samba) that we lock the admin out with
> everybody else - the other solutions for deciding 'is admin' are just
> too ugly...
> 
> As to password history, I don't think this is the right approach, and
> instead we should use the approach suggested in the password quality
> patch - which is to give the problem to an external program.
> 
> (One of the measures of quality can be 'not submitted to this program as
> a password to change to recently).  

I will look at that patch.
> 
> Unfortunately the password quality patch didn't make it into the feature
> freeze because I didn't get time to look over the resubmitted version,
> and there were still some changes that were discussed but not
> implemented in the patch.  
> 
> Andrew Bartlett
> 
> -- 
> Andrew Bartlett                                 abartlet at pcug.org.au
> Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
> Student Network Administrator, Hawker College   abartlet at hawkerc.net
> http://samba.org     http://build.samba.org     http://hawkerc.net

Thanks.

Jianliang Lu
TieSse s.p.a.
Via Jervis, 60.  10015 Ivrea (To) - Italy
j.lu at tiesse.com
luj at libero.it

More information about the samba-technical mailing list