Passowrd policy patch on Samba-3.0.2 for LDAP backend

Andrew Bartlett abartlet at samba.org
Thu Feb 19 21:56:11 GMT 2004


On Fri, 2004-02-20 at 08:13, Jim McDonough wrote:
> 
> 
> 
> First of all, thanks for all the work!
> 
> I'm incorporating large pieces of this into password lockout support, but
> with a few modifications.  First, I'm doing it a bit at a time, so I'm
> starting with just lockout.
> 
> Next, I'm declaring that I don't like magic uint32 values of 0xFFFFFFFF to
> mean turn off duration, lockout count, and reset count time, because even 0
> would be a silly value to be a valid policy...in other words, having a
> lockout count of 0 would lock everyone out, a reset count of 0 would reset
> everyone's badpw counter every time, and duration of 0 would reset
> everyones lockout flag immediately.  So 0 means these policies are turned
> off.

These values are defined by Microsoft, not us.  You should be able to
set them from User Mangler, or get them via vampire, for example.

> I've reorganized the fn()s that increment, and check for resets in passdb
> so that they are a bit easier to read, I believe, and will ultimately
> result in fewer calls.  But the overall function is the same.
> 
> Also, I'm not yet committing anything on the ldap backend, because as
> stated before, your design with multiple ldap servers for the DCs will best
> function with multi-master replication, which we cannot count on.  I'm
> still evaluating how to approach this, but one possibility is similar to
> windows in that reset counts will be cached locally and will only get
> committed for specific reasons (like lockout count reached).

I think this is best - but I don't mind an option for always consistent
backends.  If we have multi-master, then other things break (rid
allocation), so we can't exactly count on that either...

On parts of this patch not yet commited - I don't think we should have a
special case for the 'domain admins' group.  At least, I don't think we
should have that special case in the way it's currnetly proposed.  After
calling initgroups() is fine (which means reworking ordering of some
stuff), but the current code just seems the wrong way to do it.

Personally, on a unix server, I think having no special case here is
acceptable - the admin can log in with SSH and reset things with
pdbedit.  On microsoft servers, the admin account can be locked in
certain configurations, and only unlocked at the DC console.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20040220/5d22dda7/attachment.bin


More information about the samba-technical mailing list