More about the bad password lock patch

Andrew Bartlett abartlet at
Tue Sep 16 22:37:53 GMT 2003

On Wed, 2003-09-17 at 07:02, David Barth wrote:
> Hi list,
> I try to coordinate the contributions made by our team, here at IDEALX, 
> and I'm concerned about the best way to help and to also avoid doing 
> duplicate work.

I don't think that is a real concern.  Nothing in this whole area has
changed for months - except as prompted by your interest.

> Richard, Aurélien and Romeo are implementing the various security checks 
> related to user accounts management and will also probably look at TSE 
> extended attributes in the next weeks (a really big account has this on 
> top of if "showstopper" list).

Make sure you look closely as the work the Samba-TNG did there - this
does not look hard to implement.  Mostly a matter of passing a blob back
and forth correctly.  I would suggest not even converting it to UTF8 etc
- just store it as a binary blob.

> I'd like to make sure that what we're trying to do is not already in the 
> works by other people on this list (Jeremy, Andrew, others ?). Should we 
> go on with our patches or stop because you are more advanced than we 
> already are ? I would be disappointed to have wasted some of our 
> efforts, but it's better to change goals now than after.

Generally, in this game you should continue to work on your patches
until somebody says 'I'll take it from here', and they actually do. 
Consider if you had not picked up the 'password lock' patch, because it
looked like somebody else was working on it.  In reality, the
duplication of effort isn't a problem - as long as everybody keeps the
list up to date.  The extra testing, and different approaches to the
problem usually mean it's never wasted anyway.

> To let you know what we are planning for the next weeks :
>     * immediate goal is to have all ext. attributes handled (bad pwd, 
> time reset, min/max pwd age, TSE)
>     * more distant goal (1-2 month) is to have a working implementation 
> of BDC/PDC sync with a real NT controler (if anyone is currently working 
> on this please tell Richard)
>     * mainly 3 people are working full time on fixing code or 
> implementing new controls
>     * we also have a team of engineers doing regression and load testing 
> with canned-vmwared test environnments

Sounds impressive!  (And more importantly, it also sounds realistic)

The biggest thing you are missing for all this is proper group support
(always been a bit of a problem for us).  idra is working on that area
again, but i'm not sure how much time he has.

> I think the work done so far with ext. attributes is close to our 
> overall goal of doing BDC/PDC sync.
> We intend to change the patches sent so far to integrate your 
> recommandations (maintaining binary compat. for TDB bases, using a new 
> callback for the LDAP atomic incrementation, etc.). As a bonus, you can 
> let us do the dirty work of trying to guess the position of the 
> remaining 'unknown_x' bits ;-)
> Also, about TDB binary compatibility : it seems that TSE attribs can't 
> fit inside the remaining bits (sam accounts footprints being different 
> between regular NT and TSE ?) : should we change TDB now of wait for a 
> future release ?

We will need to move to a new TDB format at some stage (with transparent
upgrade etc), but we should try to put it off for as long as possible

> Let us know if your OK with letting us finish this work (and maintain it 
> in future releases).

Keep an eye on what jra is doing in the short-term, but this sounds

Andrew Bartlett

Andrew Bartlett                                 abartlet at
Manager, Authentication Subsystems, Samba Team  abartlet at
Student Network Administrator, Hawker College   abartlet at
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list