Passowrd policy patch on Samba-3.0.2 for LDAP backend
Jim McDonough
jmcd at us.ibm.com
Fri Feb 20 04:38:35 GMT 2004
>> Next, I'm declaring that I don't like magic uint32 values of 0xFFFFFFFF
to
>> mean turn off duration, lockout count, and reset count time, because
even 0
>> would be a silly value to be a valid policy...in other words, having a
>> lockout count of 0 would lock everyone out, a reset count of 0 would
reset
>> everyone's badpw counter every time, and duration of 0 would reset
>> everyones lockout flag immediately. So 0 means these policies are
turned
>> off.
>These values are defined by Microsoft, not us. You should be able to
>set them from User Mangler, or get them via vampire, for example.
Upon examining further, these are not the values defined by microsoft.
Account lockout disabled is a short, and 0 means no account lockout, not
-1. And -1 for time (as a time_t, _not_ 0xFFFFFFFF...this will bite us on
64-bit platforms) does happen to be what we define by convention to be
infinite time. It's not a microsoft definition.
The other reason I'd done this is that this patch has a bug...in MS land,
for example, you can _never_ have a 0 duration for any of these, and if you
don't define the policy, that's what we initialize it to.
I'll switch the values back, but we also need to handle the case where the
time is set to 0, which is invalid.
----------------------------
Jim McDonough
IBM Linux Technology Center
Samba Team
6 Minuteman Drive
Scarborough, ME 04074
USA
jmcd at us.ibm.com
jmcd at samba.org
Phone: (207) 885-5565
IBM tie-line: 776-9984
More information about the samba-technical
mailing list