More about the bad password lock patch

David Barth dbarth at
Tue Sep 16 21:02:27 GMT 2003

Hi list,

I try to coordinate the contributions made by our team, here at IDEALX, 
and I'm concerned about the best way to help and to also avoid doing 
duplicate work.

Richard, Aurélien and Romeo are implementing the various security checks 
related to user accounts management and will also probably look at TSE 
extended attributes in the next weeks (a really big account has this on 
top of if "showstopper" list).

I'd like to make sure that what we're trying to do is not already in the 
works by other people on this list (Jeremy, Andrew, others ?). Should we 
go on with our patches or stop because you are more advanced than we 
already are ? I would be disappointed to have wasted some of our 
efforts, but it's better to change goals now than after.

To let you know what we are planning for the next weeks :
    * immediate goal is to have all ext. attributes handled (bad pwd, 
time reset, min/max pwd age, TSE)
    * more distant goal (1-2 month) is to have a working implementation 
of BDC/PDC sync with a real NT controler (if anyone is currently working 
on this please tell Richard)
    * mainly 3 people are working full time on fixing code or 
implementing new controls
    * we also have a team of engineers doing regression and load testing 
with canned-vmwared test environnments

I think the work done so far with ext. attributes is close to our 
overall goal of doing BDC/PDC sync.
We intend to change the patches sent so far to integrate your 
recommandations (maintaining binary compat. for TDB bases, using a new 
callback for the LDAP atomic incrementation, etc.). As a bonus, you can 
let us do the dirty work of trying to guess the position of the 
remaining 'unknown_x' bits ;-)

Also, about TDB binary compatibility : it seems that TSE attribs can't 
fit inside the remaining bits (sam accounts footprints being different 
between regular NT and TSE ?) : should we change TDB now of wait for a 
future release ?

Let us know if your OK with letting us finish this work (and maintain it 
in future releases).


More information about the samba-technical mailing list